Windows Analysis Report
HUo09bfA3g.exe

Overview

General Information

Sample name: HUo09bfA3g.exe
renamed because original name is a hash value
Original sample name: 890050c976e19b46ef9b8c593233f30d8fa3a49f.rl.exe
Analysis ID: 1546694
MD5: bed0dcb10a33cd8cf44053ddc9452474
SHA1: 890050c976e19b46ef9b8c593233f30d8fa3a49f
SHA256: 55f2689eb148461cadaed5f5c970ebe830143848208b813de2819defa118356b
Tags: exeReversingLabsuser-NDA0E
Infos:

Detection

Neconyd
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Neconyd
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: HUo09bfA3g.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Windows\SysWOW64\omsecor.exe Avira: detection malicious, Label: TR/SpyVoltar.absza
Source: C:\Users\user\AppData\Roaming\omsecor.exe Avira: detection malicious, Label: TR/SpyVoltar.absza
Found malware configuration
Source: HUo09bfA3g.exe Malware Configuration Extractor: Neconyd {"C2 url": ["ht:/w.irsf.o/", "http://mkkuei4kdsz.com/", "http://lousta.net/", "ht:/r.irsf.o/", "http://ow5dirasuek.com/"]}
Multi AV Scanner detection for submitted file
Source: HUo09bfA3g.exe ReversingLabs: Detection: 86%
Machine Learning detection for dropped file
Source: C:\Windows\SysWOW64\omsecor.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\omsecor.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: HUo09bfA3g.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_0040ABD9 FindFirstFileW,FindClose, 0_2_0040ABD9
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 0_2_00408248
Source: C:\Windows\SysWOW64\omsecor.exe Code function: 3_2_0040ABD9 FindFirstFileW,FindClose, 3_2_0040ABD9
Source: C:\Windows\SysWOW64\omsecor.exe Code function: 3_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 3_2_00408248

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49705 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49704 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49708 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49706 -> 15.197.204.56:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49707 -> 52.34.198.229:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49774 -> 15.197.204.56:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49778 -> 52.34.198.229:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49726 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49832 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49882 -> 52.34.198.229:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49784 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49989 -> 52.34.198.229:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49991 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49992 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49888 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49994 -> 52.34.198.229:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:50000 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49997 -> 15.197.204.56:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49996 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49995 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49999 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49998 -> 52.34.198.229:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49993 -> 15.197.204.56:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49936 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.5:49983 -> 15.197.204.56:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: ht:/w.irsf.o/
Source: Malware configuration extractor URLs: http://mkkuei4kdsz.com/
Source: Malware configuration extractor URLs: http://lousta.net/
Source: Malware configuration extractor URLs: ht:/r.irsf.o/
Source: Malware configuration extractor URLs: http://ow5dirasuek.com/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /273/486.html HTTP/1.1From: 133749385754878324Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=428//8]45232^b93425d7]`a.4d,891aHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /89/483.html HTTP/1.1From: 133749385754878324Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=428//8]45232^b93425d7]`a.4d,891aHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /966/777.html HTTP/1.1From: 133749385754878324Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=428//8]45232^b93425d7]`a.4d,891aHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /663/854.html HTTP/1.1From: 133749385754878324Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=428//8]45232^b93425d7]`a.4d,891aHost: ow5dirasuek.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /763/48.html HTTP/1.1From: 133749385879253147Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?432/_mcz?64:11:_67454`d;5647f9_bc06f.:;3cHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /741/863.html HTTP/1.1From: 133749385879253147Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?432/_mcz?64:11:_67454`d;5647f9_bc06f.:;3cHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /671/523.html HTTP/1.1From: 133749385879253147Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?432/_mcz?64:11:_67454`d;5647f9_bc06f.:;3cHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /569/642.html HTTP/1.1From: 133749385879253147Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?432/_mcz?64:11:_67454`d;5647f9_bc06f.:;3cHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=b76064335cd4ff9f0f24a6991b5c62bf|173.254.250.82|1730464988|1730464988|0|1|0
Source: global traffic HTTP traffic detected: GET /262/971.html HTTP/1.1From: 133749385879253147Via: emohgso\sgt>9.6`apfc>7\qcpbo;32.1213`mt?432/_mcz?64:11:_67454`d;5647f9_bc06f.:;3cHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /140/265.html HTTP/1.1From: 133749385879253147Via: emohgso\sgt>9.6`apfc>7\qcpbo;32.1213`mt?432/_mcz?64:11:_67454`d;5647f9_bc06f.:;3cHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /17/791.html HTTP/1.1From: 133749385879253147Via: emohgso\sgt>9.6`apfc>7\qcpbo;32.1213`mt?432/_mcz?64:11:_67454`d;5647f9_bc06f.:;3cHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /417/147.html HTTP/1.1From: 133749385879253147Via: emohgso\sgt>9.6`apfc>7\qcpbo;32.1213`mt?432/_mcz?64:11:_67454`d;5647f9_bc06f.:;3cHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=b76064335cd4ff9f0f24a6991b5c62bf|173.254.250.82|1730465007|1730464988|9|2|0
Source: global traffic HTTP traffic detected: GET /68/533.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`Host: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /802/499.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`Host: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /680/793.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /661/266.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=b76064335cd4ff9f0f24a6991b5c62bf|173.254.250.82|1730465025|1730464988|13|3|0
Source: global traffic HTTP traffic detected: GET /680/970.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /610/631.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /356/445.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /670/670.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=b76064335cd4ff9f0f24a6991b5c62bf|173.254.250.82|1730465045|1730464988|16|4|0
Source: global traffic HTTP traffic detected: GET /589/622.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /339/417.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /164/577.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /145/281.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=b76064335cd4ff9f0f24a6991b5c62bf|173.254.250.82|1730465064|1730464988|17|5|0
Source: global traffic HTTP traffic detected: GET /164/753.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /989/145.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: lousta.netConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.166.255.171 193.166.255.171
Source: Joe Sandbox View IP Address: 52.34.198.229 52.34.198.229
Source: Joe Sandbox View IP Address: 15.197.204.56 15.197.204.56
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FUNETASFI FUNETASFI
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: TANDEMUS TANDEMUS
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2016998 - Severity 1 - ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host) : 192.168.2.5:49704 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.34.198.229:80 -> 192.168.2.5:49707
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.34.198.229:80 -> 192.168.2.5:49707
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:49709
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:49919
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_00407036 Sleep,DeleteFileW,CreateFileW,GetLastError,SetEndOfFile,InternetOpenUrlW,CloseHandle,InternetQueryDataAvailable,InternetReadFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle, 0_2_00407036
Source: global traffic HTTP traffic detected: GET /273/486.html HTTP/1.1From: 133749385754878324Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=428//8]45232^b93425d7]`a.4d,891aHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /89/483.html HTTP/1.1From: 133749385754878324Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=428//8]45232^b93425d7]`a.4d,891aHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /966/777.html HTTP/1.1From: 133749385754878324Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=428//8]45232^b93425d7]`a.4d,891aHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /663/854.html HTTP/1.1From: 133749385754878324Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=428//8]45232^b93425d7]`a.4d,891aHost: ow5dirasuek.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /763/48.html HTTP/1.1From: 133749385879253147Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?432/_mcz?64:11:_67454`d;5647f9_bc06f.:;3cHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /741/863.html HTTP/1.1From: 133749385879253147Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?432/_mcz?64:11:_67454`d;5647f9_bc06f.:;3cHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /671/523.html HTTP/1.1From: 133749385879253147Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?432/_mcz?64:11:_67454`d;5647f9_bc06f.:;3cHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /569/642.html HTTP/1.1From: 133749385879253147Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?432/_mcz?64:11:_67454`d;5647f9_bc06f.:;3cHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=b76064335cd4ff9f0f24a6991b5c62bf|173.254.250.82|1730464988|1730464988|0|1|0
Source: global traffic HTTP traffic detected: GET /262/971.html HTTP/1.1From: 133749385879253147Via: emohgso\sgt>9.6`apfc>7\qcpbo;32.1213`mt?432/_mcz?64:11:_67454`d;5647f9_bc06f.:;3cHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /140/265.html HTTP/1.1From: 133749385879253147Via: emohgso\sgt>9.6`apfc>7\qcpbo;32.1213`mt?432/_mcz?64:11:_67454`d;5647f9_bc06f.:;3cHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /17/791.html HTTP/1.1From: 133749385879253147Via: emohgso\sgt>9.6`apfc>7\qcpbo;32.1213`mt?432/_mcz?64:11:_67454`d;5647f9_bc06f.:;3cHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /417/147.html HTTP/1.1From: 133749385879253147Via: emohgso\sgt>9.6`apfc>7\qcpbo;32.1213`mt?432/_mcz?64:11:_67454`d;5647f9_bc06f.:;3cHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=b76064335cd4ff9f0f24a6991b5c62bf|173.254.250.82|1730465007|1730464988|9|2|0
Source: global traffic HTTP traffic detected: GET /68/533.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`Host: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /802/499.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`Host: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /680/793.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /661/266.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=b76064335cd4ff9f0f24a6991b5c62bf|173.254.250.82|1730465025|1730464988|13|3|0
Source: global traffic HTTP traffic detected: GET /680/970.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /610/631.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /356/445.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /670/670.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=b76064335cd4ff9f0f24a6991b5c62bf|173.254.250.82|1730465045|1730464988|16|4|0
Source: global traffic HTTP traffic detected: GET /589/622.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /339/417.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /164/577.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /145/281.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=b76064335cd4ff9f0f24a6991b5c62bf|173.254.250.82|1730465064|1730464988|17|5|0
Source: global traffic HTTP traffic detected: GET /164/753.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: lousta.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /989/145.html HTTP/1.1From: 133749385879253147Via: lmc`pfx;823_qq>8013\lgw>:195.9c36823da:933;c8c_b43e27:7`_pmdtwqvHost: lousta.netConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: lousta.net
Source: global traffic DNS traffic detected: DNS query: mkkuei4kdsz.com
Source: global traffic DNS traffic detected: DNS query: ow5dirasuek.com
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000630000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000003.00000002.2527292236.000000000065A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/140/265.html
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/140/265.htmlshqos.dll.muiaH
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/164/753.html
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/164/753.html36823da:933;c8c_b43e27:7
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/164/753.html=
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/164/753.htmlV
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/262/971.html
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/262/971.htmlH
Source: omsecor.exe, 00000001.00000002.2149237601.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.2149237601.0000000000819000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/273/486.html
Source: omsecor.exe, 00000007.00000002.3269015349.000000000067E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/339/417.html
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/339/417.html36823da:933;c8c_b43e27:7
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/589/622.html
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/589/622.htmlw
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/610/631.html
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/68/533.html
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/68/533.htmlJ
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/680/970.html
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/741/863.html
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/741/863.htmlQ
Source: omsecor.exe, 00000003.00000002.2527292236.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000003.00000002.2527292236.0000000000630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/763/48.html
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/802/499.html
Source: omsecor.exe, 00000001.00000002.2149237601.0000000000819000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/89/483.html
Source: omsecor.exe, 00000001.00000002.2149237601.0000000000819000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/89/483.htmlm
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/989/145.html
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/989/145.html#
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/989/145.html8
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/989/145.html?
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/989/145.htmlb
Source: omsecor.exe, 00000007.00000002.3268773558.0000000000195000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/989/145.htmlhtml
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/989/145.htmli
Source: omsecor.exe, 00000007.00000002.3268773558.0000000000195000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://lousta.net/com/p
Source: omsecor.exe, 00000001.00000002.2149237601.0000000000831000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000003.00000002.2527292236.0000000000648000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/)
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/164/577.html
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/164/577.html0
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/164/577.htmllv
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/164/577.html~
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/17/791.html
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006AC000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/356/445.html
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/356/445.html0(m
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/356/445.html4kdsz.com5
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/356/445.htmlT
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/356/445.htmlp
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/671/523.html
Source: omsecor.exe, 00000003.00000002.2527292236.00000000005EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/671/523.htmlh
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/671/523.htmlox
Source: omsecor.exe, 00000007.00000002.3269015349.000000000067E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.3269015349.00000000006AC000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/680/793.html
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/680/793.html(mFv
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/680/793.htmlZ
Source: omsecor.exe, 00000001.00000002.2149237601.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.2149237601.0000000000819000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.2149237601.0000000000831000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/966/777.html
Source: omsecor.exe, 00000001.00000002.2149237601.0000000000831000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/966/777.html#
Source: omsecor.exe, 00000001.00000002.2149237601.0000000000831000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/966/777.html-
Source: omsecor.exe, 00000001.00000002.2149237601.0000000000831000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/966/777.htmlU
Source: omsecor.exe, 00000001.00000002.2149237601.00000000007CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/966/777.htmlc
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/en-GB
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mkkuei4kdsz.com/ss
Source: omsecor.exe, 00000001.00000002.2149237601.0000000000831000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000003.00000002.2527292236.0000000000648000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006AC000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/145/281.html
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/145/281.html$
Source: omsecor.exe, 00000001.00000002.2149237601.0000000000831000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/3
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/417/147.html
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/417/147.html56;x
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/417/147.htmlAxjS(
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/417/147.htmlixBS$
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/569/642.html
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/569/642.html(
Source: omsecor.exe, 00000003.00000002.2527292236.0000000000648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/569/642.htmlcxHS#
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006AC000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/661/266.html
Source: omsecor.exe, 00000001.00000002.2149237601.0000000000819000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.2149237601.0000000000831000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/663/854.html
Source: omsecor.exe, 00000001.00000002.2149237601.0000000000819000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/663/854.html-
Source: omsecor.exe, 00000001.00000002.2149237601.0000000000819000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/663/854.html4kdsz.com5
Source: omsecor.exe, 00000001.00000002.2149237601.0000000000831000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/663/854.html8
Source: omsecor.exe, 00000001.00000002.2149237601.0000000000831000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/663/854.html9
Source: omsecor.exe, 00000001.00000002.2149237601.0000000000831000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/663/854.html?
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006AC000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/670/670.html
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/670/670.htmlasuek.com
Source: omsecor.exe, 00000007.00000002.3269015349.00000000006C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/Kw
Source: HUo09bfA3g.exe, omsecor.exe.1.dr, omsecor.exe.0.dr String found in binary or memory: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon
Source: omsecor.exe, 00000001.00000002.2149237601.0000000000819000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ow5dirasuek.com/lousta.net

E-Banking Fraud
barindex
Yara detected Neconyd
Source: Yara match File source: Process Memory Space: HUo09bfA3g.exe PID: 5952, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: omsecor.exe PID: 4456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: omsecor.exe PID: 5532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: omsecor.exe PID: 2800, type: MEMORYSTR
Creates files inside the system directory
Source: C:\Users\user\AppData\Roaming\omsecor.exe File created: C:\Windows\SysWOW64\omsecor.exe Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe File created: C:\Windows\SysWOW64\merocz.xc6 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_00401C41 0_2_00401C41
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_0040D2A4 0_2_0040D2A4
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_0040B51C 0_2_0040B51C
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_0040CBD0 0_2_0040CBD0
Source: C:\Windows\SysWOW64\omsecor.exe Code function: 3_2_00401C41 3_2_00401C41
Source: C:\Windows\SysWOW64\omsecor.exe Code function: 3_2_0040D2A4 3_2_0040D2A4
Source: C:\Windows\SysWOW64\omsecor.exe Code function: 3_2_0040B51C 3_2_0040B51C
Source: C:\Windows\SysWOW64\omsecor.exe Code function: 3_2_0040CBD0 3_2_0040CBD0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: String function: 00405511 appears 56 times
Source: C:\Windows\SysWOW64\omsecor.exe Code function: String function: 00405511 appears 56 times
Source: classification engine Classification label: mal100.bank.troj.evad.winEXE@7/3@3/3
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_0040A057 GetForegroundWindow,CoCreateInstance,SetForegroundWindow, 0_2_0040A057
Source: C:\Users\user\Desktop\HUo09bfA3g.exe File created: C:\Users\user\AppData\Roaming\omsecor.exe Jump to behavior
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: HUo09bfA3g.exe ReversingLabs: Detection: 86%
Source: C:\Users\user\Desktop\HUo09bfA3g.exe File read: C:\Users\user\Desktop\HUo09bfA3g.exe Jump to behavior
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\omsecor.exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: unknown Process created: C:\Users\user\Desktop\HUo09bfA3g.exe "C:\Users\user\Desktop\HUo09bfA3g.exe"
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Process created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe
Source: C:\Users\user\AppData\Roaming\omsecor.exe Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exe
Source: C:\Windows\SysWOW64\omsecor.exe Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe /nomove
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Process created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exe Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe /nomove Jump to behavior
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004032B8
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_0040D293 push ecx; ret 0_2_0040D2A3
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_0040CBB5 push ecx; ret 0_2_0040CBC8
Source: C:\Windows\SysWOW64\omsecor.exe Code function: 3_2_0040D293 push ecx; ret 3_2_0040D2A3
Source: C:\Windows\SysWOW64\omsecor.exe Code function: 3_2_0040CBB5 push ecx; ret 3_2_0040CBC8

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\SysWOW64\omsecor.exe Executable created and started: C:\Windows\SysWOW64\omsecor.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\HUo09bfA3g.exe File created: C:\Users\user\AppData\Roaming\omsecor.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\omsecor.exe File created: C:\Windows\SysWOW64\omsecor.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\AppData\Roaming\omsecor.exe File created: C:\Windows\SysWOW64\omsecor.exe Jump to dropped file
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW, 0_2_0040350F
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW, 0_2_004039EA
Source: C:\Windows\SysWOW64\omsecor.exe Code function: 3_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW, 3_2_0040350F
Source: C:\Windows\SysWOW64\omsecor.exe Code function: 3_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW, 3_2_004039EA
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\omsecor.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\omsecor.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\omsecor.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\omsecor.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\HUo09bfA3g.exe API coverage: 8.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\omsecor.exe TID: 3448 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe TID: 348 Thread sleep time: -70000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe TID: 576 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe TID: 576 Thread sleep time: -180000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\omsecor.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_0040ABD9 FindFirstFileW,FindClose, 0_2_0040ABD9
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 0_2_00408248
Source: C:\Windows\SysWOW64\omsecor.exe Code function: 3_2_0040ABD9 FindFirstFileW,FindClose, 3_2_0040ABD9
Source: C:\Windows\SysWOW64\omsecor.exe Code function: 3_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 3_2_00408248
Source: C:\Windows\SysWOW64\omsecor.exe Thread delayed: delay time: 60000 Jump to behavior
Source: omsecor.exe, 00000001.00000002.2149237601.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.2149237601.0000000000831000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000003.00000002.2527292236.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000003.00000002.2527292236.000000000065A000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.3269015349.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.3269015349.00000000006AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\HUo09bfA3g.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\omsecor.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040CD66
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004032B8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_004075D4 GetLastError,CreateFileW,CreateFileW,CreateFileW,GetFileSize,GetProcessHeap,RtlAllocateHeap,ReadFile,ReadFile,WriteFile,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,WriteFile,CloseHandle,CloseHandle,CloseHandle, 0_2_004075D4
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004032B8
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040CD66
Source: C:\Windows\SysWOW64\omsecor.exe Code function: 3_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_004032B8
Source: C:\Windows\SysWOW64\omsecor.exe Code function: 3_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0040CD66
Source: HUo09bfA3g.exe, omsecor.exe Binary or memory string: Shell_TrayWnd
Source: HUo09bfA3g.exe, omsecor.exe.1.dr, omsecor.exe.0.dr Binary or memory string: ftpPriorHostTimeCorrUniqueNumhttp://AppEvents\Schemes\Apps\Explorer\Navigating\.currentSOFTWARE\Classes\MIME\Database\Content Type\text/htmlapplication/x-javascripttext/javascriptCLSIDBuildSOFTWARE\Microsoft\Internet ExplorerJOB FILE^nocryptPage generated at: http:__scMMdj490)0-Osdurandcrandsetvarmsec1970b_nav_time*CsMSoftware\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLsC:\WINDOWS\system32\gbdwpbm.dll.jar.mpeg.mpg.3gp.mov.mkv.wmv.avi.mp3.pdf.7z.gz.exe.rar.zip.xls.docvar scr= document.createElement("script"); scr.src = "%s"; document.getElementsByTagName("head")[0].appendChild(scr);Aahttp_self&host=track_eventsjavascriptbegun.ru/click.jsp?url=an.yandex.ru/count_blank,"url""domain""encrypted""URL""condition_id""kwtype"<domain></domain><url></url><title></title>http://click0^POSTShell.ExplorerAtlAxWineventConnShell_TrayWndAccept: */*
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_0040CB03 cpuid 0_2_0040CB03
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_00407267 GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,__aulldiv, 0_2_00407267
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_00407499 GetLocalTime,GetLocalTime,GetLocalTime,GetTimeZoneInformation,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_00407499
Source: C:\Users\user\Desktop\HUo09bfA3g.exe Code function: 0_2_00406CB5 GetVersionExW, 0_2_00406CB5
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546694 Sample: HUo09bfA3g.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 26 ow5dirasuek.com 2->26 28 mkkuei4kdsz.com 2->28 30 lousta.net 2->30 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 4 other signatures 2->50 9 HUo09bfA3g.exe 1 2->9         started        signatures3 process4 file5 22 C:\Users\user\AppData\Roaming\omsecor.exe, PE32 9->22 dropped 12 omsecor.exe 13 9->12         started        process6 dnsIp7 32 mkkuei4kdsz.com 15.197.204.56, 49706, 49774, 49983 TANDEMUS United States 12->32 34 lousta.net 193.166.255.171, 49704, 49705, 49708 FUNETASFI Finland 12->34 36 ow5dirasuek.com 52.34.198.229, 49707, 49778, 49882 AMAZON-02US United States 12->36 24 C:\Windows\SysWOW64\omsecor.exe, PE32 12->24 dropped 52 Antivirus detection for dropped file 12->52 54 Machine Learning detection for dropped file 12->54 17 omsecor.exe 12 12->17         started        file8 signatures9 process10 signatures11 38 Antivirus detection for dropped file 17->38 40 Machine Learning detection for dropped file 17->40 42 Drops executables to the windows directory (C:\Windows) and starts them 17->42 20 omsecor.exe 13 17->20         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.166.255.171
 lousta.net Finland
1741 FUNETASFI true
52.34.198.229
 ow5dirasuek.com United States
16509 AMAZON-02US true
15.197.204.56
 mkkuei4kdsz.com United States
7430 TANDEMUS true

Contacted Domains

Name IP Active
lousta.net 193.166.255.171 true
mkkuei4kdsz.com 15.197.204.56 true
ow5dirasuek.com 52.34.198.229 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://mkkuei4kdsz.com/17/791.html true
    		unknown
    http://mkkuei4kdsz.com/ true
      		unknown
      http://lousta.net/680/970.html true
        		unknown
        http://lousta.net/339/417.html true
          		unknown
          http://lousta.net/68/533.html true
            		unknown
            http://lousta.net/763/48.html true
              		unknown
              http://lousta.net/140/265.html true
                		unknown
                http://lousta.net/989/145.html true
                  		unknown
                  http://lousta.net/802/499.html true
                    		unknown
                    ht:/r.irsf.o/ true
                      		unknown
                      http://mkkuei4kdsz.com/966/777.html true
                        		unknown
                        http://lousta.net/262/971.html true
                          		unknown
                          http://mkkuei4kdsz.com/671/523.html true
                            		unknown
                            http://lousta.net/589/622.html true
                              		unknown
                              http://ow5dirasuek.com/145/281.html true
                                		unknown
                                http://ow5dirasuek.com/569/642.html true
                                  		unknown
                                  http://lousta.net/273/486.html true
                                    		unknown
                                    ht:/w.irsf.o/ true
                                      		unknown
                                      http://lousta.net/164/753.html true
                                        		unknown
                                        http://ow5dirasuek.com/661/266.html true
                                          		unknown
                                          http://ow5dirasuek.com/417/147.html true
                                            		unknown
                                            http://lousta.net/ true
                                              		unknown
                                              http://ow5dirasuek.com/663/854.html true
                                                		unknown
                                                http://lousta.net/89/483.html true
                                                  		unknown
                                                  http://lousta.net/741/863.html true
                                                    		unknown
                                                    http://ow5dirasuek.com/ true
                                                      		unknown
                                                      http://mkkuei4kdsz.com/356/445.html true
                                                        		unknown
                                                        http://mkkuei4kdsz.com/164/577.html true
                                                          		unknown
                                                          http://lousta.net/610/631.html true
                                                            		unknown
                                                            http://ow5dirasuek.com/670/670.html true
                                                              		unknown
                                                              http://mkkuei4kdsz.com/680/793.html true
                                                                		unknown