Windows
Analysis Report
nNX5KYQRhg.exe
Overview
General Information
Sample name: | nNX5KYQRhg.exerenamed because original name is a hash value |
Original sample name: | 682abf7611b349bb614207e0fcca057ab84389a6.exe |
Analysis ID: | 1546830 |
MD5: | 44a881b87bb2d5dfe7062b9a7538425f |
SHA1: | 682abf7611b349bb614207e0fcca057ab84389a6 |
SHA256: | fc22b8c7e16c145772129e466d1977f14f09c1302da688eb96863e409cbb6a58 |
Tags: | exeReversingLabsuser-NDA0E |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- nNX5KYQRhg.exe (PID: 2848 cmdline:
"C:\Users\ user\Deskt op\nNX5KYQ Rhg.exe" MD5: 44A881B87BB2D5DFE7062B9A7538425F) - omsecor.exe (PID: 3756 cmdline:
C:\Users\u ser\AppDat a\Roaming\ omsecor.ex e MD5: DCC8263D314F19A3A35E32EDFCCDC942) - omsecor.exe (PID: 1268 cmdline:
C:\Windows \System32\ omsecor.ex e MD5: 1FB6FB78751B952FE1D6BEBA89C93830) - omsecor.exe (PID: 3908 cmdline:
C:\Windows \SysWOW64\ omsecor.ex e /nomove MD5: 1FB6FB78751B952FE1D6BEBA89C93830)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Neconyd | No Attribution |
{"C2 url": ["http://mkkuei4kdsz.com/", "http://ow5dirasuek.com/", "ht:/w.irsf.o/", "ht:/r.irsf.o/", "http://lousta.net/"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Neconyd | Yara detected Neconyd | Joe Security | ||
JoeSecurity_Neconyd | Yara detected Neconyd | Joe Security | ||
JoeSecurity_Neconyd | Yara detected Neconyd | Joe Security | ||
JoeSecurity_Neconyd | Yara detected Neconyd | Joe Security |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-01T16:22:19.281249+0100 | 2022930 | 1 | A Network Trojan was detected | 172.202.163.200 | 443 | 192.168.2.6 | 49763 | TCP |
2024-11-01T16:22:57.393256+0100 | 2022930 | 1 | A Network Trojan was detected | 172.202.163.200 | 443 | 192.168.2.6 | 49973 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-01T16:22:01.694283+0100 | 2016998 | 1 | A Network Trojan was detected | 192.168.2.6 | 49709 | 193.166.255.171 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-01T16:22:20.910667+0100 | 2018141 | 1 | A Network Trojan was detected | 52.34.198.229 | 80 | 192.168.2.6 | 49776 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-01T16:22:20.910667+0100 | 2037771 | 1 | A Network Trojan was detected | 52.34.198.229 | 80 | 192.168.2.6 | 49776 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-01T16:21:58.969242+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 50009 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:22:10.199354+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49709 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:22:18.801892+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49727 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:22:19.623901+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49769 | 15.197.204.56 | 80 | TCP |
2024-11-01T16:22:20.790141+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49776 | 52.34.198.229 | 80 | TCP |
2024-11-01T16:22:29.863054+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49788 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:22:38.613596+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49830 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:22:39.356294+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49879 | 15.197.204.56 | 80 | TCP |
2024-11-01T16:22:40.327774+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49885 | 52.34.198.229 | 80 | TCP |
2024-11-01T16:22:48.943456+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49891 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:22:57.731117+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49938 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:22:58.006313+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49879 | 15.197.204.56 | 80 | TCP |
2024-11-01T16:22:58.961028+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49983 | 52.34.198.229 | 80 | TCP |
2024-11-01T16:23:07.664946+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49989 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:23:16.258859+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49995 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:23:16.999344+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49996 | 15.197.204.56 | 80 | TCP |
2024-11-01T16:23:17.946497+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49997 | 52.34.198.229 | 80 | TCP |
2024-11-01T16:23:26.666239+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49998 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:23:35.272306+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49999 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:23:36.587988+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 50001 | 15.197.204.56 | 80 | TCP |
2024-11-01T16:23:37.569661+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 50002 | 52.34.198.229 | 80 | TCP |
2024-11-01T16:23:46.286758+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 50003 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:23:55.051681+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 50004 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:23:55.834896+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 50005 | 15.197.204.56 | 80 | TCP |
2024-11-01T16:23:56.826488+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 50006 | 52.34.198.229 | 80 | TCP |
2024-11-01T16:24:05.543153+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 50007 | 193.166.255.171 | 80 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Code function: | 0_2_0040ABD9 | |
Source: | Code function: | 0_2_00408248 | |
Source: | Code function: | 5_2_0040ABD9 | |
Source: | Code function: | 5_2_00408248 |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | Code function: | 0_2_00407036 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Code function: | 0_2_00401C41 | |
Source: | Code function: | 0_2_0040D2A4 | |
Source: | Code function: | 0_2_0040B51C | |
Source: | Code function: | 0_2_0040CBD0 | |
Source: | Code function: | 5_2_00401C41 | |
Source: | Code function: | 5_2_0040D2A4 | |
Source: | Code function: | 5_2_0040B51C | |
Source: | Code function: | 5_2_0040CBD0 |
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_0040A057 |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Evasive API call chain: | graph_5-5766 | ||
Source: | Evasive API call chain: | graph_0-5765 |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_004032B8 |
Source: | Code function: | 0_2_0040D2A3 | |
Source: | Code function: | 0_2_0040CBC8 | |
Source: | Code function: | 5_2_0040D2A3 | |
Source: | Code function: | 5_2_0040CBC8 |
Persistence and Installation Behavior |
---|
Source: | Executable created and started: | Jump to behavior |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | Code function: | 0_2_0040350F | |
Source: | Code function: | 0_2_004039EA | |
Source: | Code function: | 5_2_0040350F | |
Source: | Code function: | 5_2_004039EA |
Source: | Evasive API call chain: | graph_5-5799 | ||
Source: | Evasive API call chain: | graph_0-5799 | ||
Source: | Evasive API call chain: | graph_0-5799 | ||
Source: | Evasive API call chain: | graph_5-5799 |
Source: | Evasive API call chain: | graph_5-5733 | ||
Source: | Evasive API call chain: | graph_0-5861 | ||
Source: | Evasive API call chain: | graph_5-5861 | ||
Source: | Evasive API call chain: | graph_0-5784 |
Source: | API coverage: |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: |
Source: | Code function: | 0_2_0040ABD9 | |
Source: | Code function: | 0_2_00408248 | |
Source: | Code function: | 5_2_0040ABD9 | |
Source: | Code function: | 5_2_00408248 |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-5889 | ||
Source: | API call chain: | graph_5-5889 |
Source: | Code function: | 0_2_0040CD66 |
Source: | Code function: | 0_2_004032B8 |
Source: | Code function: | 0_2_004075D4 |
Source: | Code function: | 0_2_004032B8 | |
Source: | Code function: | 0_2_0040CD66 | |
Source: | Code function: | 5_2_004032B8 | |
Source: | Code function: | 5_2_0040CD66 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_0040CB03 |
Source: | Code function: | 0_2_00407267 |
Source: | Code function: | 0_2_00407499 |
Source: | Code function: | 0_2_00406CB5 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 2 Process Injection | 121 Masquerading | OS Credential Dumping | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 21 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 2 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 2 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 11 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | 12 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 13 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
87% | ReversingLabs | Win32.Trojan.ButeRat | ||
100% | Avira | TR/SpyVoltar.absza | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | TR/SpyVoltar.absza | ||
100% | Avira | TR/SpyVoltar.absza | ||
100% | Joe Sandbox ML | |||
100% | Joe Sandbox ML |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
lousta.net | 193.166.255.171 | true | true | unknown | |
mkkuei4kdsz.com | 15.197.204.56 | true | true | unknown | |
ow5dirasuek.com | 52.34.198.229 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
193.166.255.171 | lousta.net | Finland | 1741 | FUNETASFI | true | |
52.34.198.229 | ow5dirasuek.com | United States | 16509 | AMAZON-02US | true | |
15.197.204.56 | mkkuei4kdsz.com | United States | 7430 | TANDEMUS | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1546830 |
Start date and time: | 2024-11-01 16:21:07 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 39s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | nNX5KYQRhg.exerenamed because original name is a hash value |
Original Sample Name: | 682abf7611b349bb614207e0fcca057ab84389a6.exe |
Detection: | MAL |
Classification: | mal100.bank.troj.evad.winEXE@7/3@3/3 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: nNX5KYQRhg.exe
Time | Type | Description |
---|---|---|
11:22:09 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
193.166.255.171 | Get hash | malicious | Neconyd | Browse |
| |
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Pushdo | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
52.34.198.229 | Get hash | malicious | Neconyd | Browse |
| |
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Simda Stealer | Browse |
| ||
Get hash | malicious | Simda Stealer | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Sakula RAT | Browse |
| ||
Get hash | malicious | Simda Stealer | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ow5dirasuek.com | Get hash | malicious | Neconyd | Browse |
| |
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
mkkuei4kdsz.com | Get hash | malicious | Neconyd | Browse |
| |
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
lousta.net | Get hash | malicious | Neconyd | Browse |
| |
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
FUNETASFI | Get hash | malicious | Neconyd | Browse |
| |
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
AMAZON-02US | Get hash | malicious | Neconyd | Browse |
| |
Get hash | malicious | Okiru | Browse |
| ||
Get hash | malicious | Mirai, Okiru | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
TANDEMUS | Get hash | malicious | Neconyd | Browse |
| |
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | FormBook, GuLoader | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Users\user\Desktop\nNX5KYQRhg.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 82768 |
Entropy (8bit): | 6.931973987188612 |
Encrypted: | false |
SSDEEP: | 1536:nd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:PdseIOMEZEyFjEOFqTiQmOl/5xPvw3 |
MD5: | DCC8263D314F19A3A35E32EDFCCDC942 |
SHA1: | D4AD269F9FEDD8B359B1AD2A380A200E92656D74 |
SHA-256: | 7BF175DA76679D24C80F78BE8A38E9D71286F944885CBD3B349B1E5AA43CEF17 |
SHA-512: | 4B9BCC64347700EC9998A8A11B852A5FA97E232B8E4335C29187695B935963D36D7DC4B66AE057971E13E5F40F19FFE83032EAF3423BDD9762CB57E800937A2A |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\omsecor.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 100 |
Entropy (8bit): | 1.8901865117490424 |
Encrypted: | false |
SSDEEP: | 3:gtqyu/JSzv/qvdOdFV:gwDAzviU/ |
MD5: | 11598988334FA23E5801B318FADCDD95 |
SHA1: | F116E9AB51BE03B2D8BC69A04C7269A1C43E7917 |
SHA-256: | 1EADB45BFEB7402242E4FCBFEE5CC925A260AD22769AD21B74BD0788769EC5B5 |
SHA-512: | 08FAD81A0E5065A526DC4B9B317CC6AD4CC37C1A82306645B104718419AD1019B0D9D597F2DF7CC87D82F12C4C71B9B7D646D890BE28B9982B5A3F510D239D2C |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Roaming\omsecor.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 82768 |
Entropy (8bit): | 6.93198150938138 |
Encrypted: | false |
SSDEEP: | 1536:Jd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:JdseIOMEZEyFjEOFqTiQmOl/5xPvw3 |
MD5: | 1FB6FB78751B952FE1D6BEBA89C93830 |
SHA1: | 74DF9E9309715128ADD09CF3FA3E80D670B81ECD |
SHA-256: | E4020F1799722258E62AFD948A5DB176524B8E1831D6738C82B5ADF4D835A1A0 |
SHA-512: | A25D8943FE382B8B0DDF9DDBDED01A9405C068ED56CA1B70B852DA83E39CEA2E3F65084703D9D66148648F8189F6B236E23460F9014200CBA1903694449260C7 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.931971441078146 |
TrID: |
|
File name: | nNX5KYQRhg.exe |
File size: | 82'768 bytes |
MD5: | 44a881b87bb2d5dfe7062b9a7538425f |
SHA1: | 682abf7611b349bb614207e0fcca057ab84389a6 |
SHA256: | fc22b8c7e16c145772129e466d1977f14f09c1302da688eb96863e409cbb6a58 |
SHA512: | 5789c8c42bc75efdba39d1715a71c40142dd8946c40a127b29c9b7c575ae51186e2d241dd287791d6d7e501b23132282cf2ce8d7d87d60285272439233c23bd5 |
SSDEEP: | 1536:Xd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:fdseIOMEZEyFjEOFqTiQmOl/5xPvw3 |
TLSH: | 73839D95B6F88076E9A318B0627CE9929CBDBEB515A0D0C3D350AC871EE13D2D73435B |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m.m.m...m.m.m...m^..m...m^..m...m...m...m.m.m...m.m.m...mRich...m................PE..L...+..P................... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x40b346 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x50B39C2B [Mon Nov 26 16:43:23 2012 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 08b67a9663d3a8c9505f3b2561bbdd1c |
Signature Valid: | false |
Signature Issuer: | CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US |
Signature Validation Error: | The digital signature of the object did not verify |
Error Number: | -2146869232 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 07BA2F139D35455A934AB0CED10CBE41 |
Thumbprint SHA-1: | 5A257D333718C4B468A5DBC6643348AF667AEE3D |
Thumbprint SHA-256: | F66C648A39C2B4845719707319B96BA37A6EFC854D02D4AB3EDA1B2DA853B7EB |
Serial: | 3300000439F61F7A676DA000AF000000000439 |
Instruction |
---|
push ebp |
mov ebp, esp |
mov eax, 00001800h |
call 00007F016532D762h |
push ebx |
push esi |
push edi |
mov edi, dword ptr [0040E0B0h] |
mov esi, 00000400h |
push esi |
lea eax, dword ptr [ebp-00000800h] |
push eax |
xor ebx, ebx |
push ebx |
call edi |
push 0040F4FCh |
lea eax, dword ptr [ebp-00000800h] |
call 00007F016532561Ah |
test eax, eax |
pop ecx |
je 00007F016532B55Fh |
lea eax, dword ptr [ebp-00001800h] |
push eax |
call 00007F016532AD96h |
test eax, eax |
pop ecx |
jne 00007F016532B54Eh |
push esi |
lea eax, dword ptr [ebp-00000800h] |
push eax |
push ebx |
call edi |
push 00000001h |
lea eax, dword ptr [ebp-00000800h] |
push eax |
push 0040F414h |
push 0040F1D8h |
push 80000001h |
call 00007F0165326B46h |
add esp, 14h |
test eax, eax |
push 00000004h |
je 00007F016532B507h |
push ebx |
push 00000003h |
jmp 00007F016532B50Bh |
call dword ptr [0040E064h] |
push eax |
push 00000006h |
call 00007F016532A8B3h |
add esp, 0Ch |
call 00007F016532B3F3h |
call 00007F016532AC1Dh |
test eax, eax |
jne 00007F016532B4F4h |
call 00007F016532AC93h |
test eax, eax |
je 00007F016532B563h |
push 00002710h |
call dword ptr [0040E070h] |
push 00000004h |
push ebx |
push 00000009h |
call 00007F016532A884h |
add esp, 0Ch |
push esi |
lea eax, dword ptr [ebp+00000000h] |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xf77c | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0xf600 | 0x4d50 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xf6a8 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xe000 | 0x1b4 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xcc18 | 0xce00 | 7d17b3af3ad18f4a94d7ab9fe07eac18 | False | 0.5967650182038835 | data | 6.6299319364593226 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0xe000 | 0x2144 | 0x2200 | 56d9054057018e96543087e97c2a076e | False | 0.4463465073529412 | data | 4.458482003449311 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x11000 | 0x1712c | 0x200 | 9159e4683d74ea27f29c3b096294f663 | False | 0.466796875 | data | 3.7016590486098133 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
DLL | Import |
---|---|
WININET.dll | HttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetSetPerSiteCookieDecisionW, InternetOpenUrlW, InternetAttemptConnect, InternetOpenW, InternetReadFile, InternetClearAllPerSiteCookieDecisions, InternetCloseHandle, InternetQueryDataAvailable, InternetSetOptionW |
SHLWAPI.dll | StrStrIW, PathMatchSpecW, PathCombineW, wvnsprintfW, StrStrIA, PathRemoveFileSpecW |
KERNEL32.dll | TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, GetVersionExA, HeapReAlloc, RtlUnwind, WideCharToMultiByte, MultiByteToWideChar, HeapCreate, CopyFileW, CreateThread, WaitForMultipleObjects, GetTickCount, DeleteFileW, CreateProcessW, SetUnhandledExceptionFilter, ExitProcess, GetLastError, LoadLibraryW, GetProcAddress, Sleep, VirtualProtect, GetPrivateProfileIntW, ExpandEnvironmentStringsW, GetPrivateProfileStringW, FindFirstFileW, SetFilePointer, SetEndOfFile, GetVersionExW, HeapAlloc, SetWaitableTimer, SystemTimeToFileTime, CreateWaitableTimerW, FindNextFileW, HeapFree, ReadFile, GetModuleFileNameW, GetFileTime, WaitForSingleObject, GetTimeZoneInformation, CreateFileW, CloseHandle, GetFileSizeEx, VirtualFree, GetProcessHeap, GetCurrentDirectoryW, VirtualAlloc, VirtualQuery, GetSystemTime, GetFileSize, FindClose, WriteFile, GetLocalTime, GetModuleHandleW, GetCommandLineW |
USER32.dll | GetWindowLongW, DispatchMessageW, GetForegroundWindow, CharLowerW, CreateWindowExW, FindWindowW, PeekMessageW, SetForegroundWindow, GetSystemMetrics, MessageBoxW, SetWindowPos, SetWindowLongW, SetParent |
ADVAPI32.dll | RegOpenKeyExW, RegEnumKeyExW, RegQueryValueExW, RegSetValueExW, RegCreateKeyExW, RegCloseKey |
SHELL32.dll | SHGetFolderPathW |
ole32.dll | CoCreateInstance, OleInitialize, CoInitialize |
OLEAUT32.dll | SysFreeString, VariantInit, SysAllocString, VariantClear |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-01T16:21:58.969242+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 50009 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:22:01.694283+0100 | 2016998 | ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host) | 1 | 192.168.2.6 | 49709 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:22:10.199354+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49709 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:22:18.801892+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49727 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:22:19.281249+0100 | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 1 | 172.202.163.200 | 443 | 192.168.2.6 | 49763 | TCP |
2024-11-01T16:22:19.623901+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49769 | 15.197.204.56 | 80 | TCP |
2024-11-01T16:22:20.790141+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49776 | 52.34.198.229 | 80 | TCP |
2024-11-01T16:22:20.910667+0100 | 2018141 | ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz | 1 | 52.34.198.229 | 80 | 192.168.2.6 | 49776 | TCP |
2024-11-01T16:22:20.910667+0100 | 2037771 | ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst | 1 | 52.34.198.229 | 80 | 192.168.2.6 | 49776 | TCP |
2024-11-01T16:22:29.863054+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49788 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:22:38.613596+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49830 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:22:39.356294+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49879 | 15.197.204.56 | 80 | TCP |
2024-11-01T16:22:40.327774+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49885 | 52.34.198.229 | 80 | TCP |
2024-11-01T16:22:48.943456+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49891 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:22:57.393256+0100 | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 1 | 172.202.163.200 | 443 | 192.168.2.6 | 49973 | TCP |
2024-11-01T16:22:57.731117+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49938 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:22:58.006313+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49879 | 15.197.204.56 | 80 | TCP |
2024-11-01T16:22:58.961028+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49983 | 52.34.198.229 | 80 | TCP |
2024-11-01T16:23:07.664946+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49989 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:23:16.258859+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49995 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:23:16.999344+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49996 | 15.197.204.56 | 80 | TCP |
2024-11-01T16:23:17.946497+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49997 | 52.34.198.229 | 80 | TCP |
2024-11-01T16:23:26.666239+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49998 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:23:35.272306+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 49999 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:23:36.587988+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 50001 | 15.197.204.56 | 80 | TCP |
2024-11-01T16:23:37.569661+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 50002 | 52.34.198.229 | 80 | TCP |
2024-11-01T16:23:46.286758+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 50003 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:23:55.051681+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 50004 | 193.166.255.171 | 80 | TCP |
2024-11-01T16:23:55.834896+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 50005 | 15.197.204.56 | 80 | TCP |
2024-11-01T16:23:56.826488+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 50006 | 52.34.198.229 | 80 | TCP |
2024-11-01T16:24:05.543153+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.6 | 50007 | 193.166.255.171 | 80 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 1, 2024 16:22:01.694283009 CET | 49709 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:01.699266911 CET | 80 | 49709 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:01.699348927 CET | 49709 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:01.699565887 CET | 49709 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:01.704411983 CET | 80 | 49709 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:10.199237108 CET | 80 | 49709 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:10.199353933 CET | 49709 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:10.199753046 CET | 49709 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:10.204626083 CET | 80 | 49709 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:10.315309048 CET | 49727 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:10.320950031 CET | 80 | 49727 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:10.321176052 CET | 49727 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:10.321299076 CET | 49727 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:10.326160908 CET | 80 | 49727 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:18.801827908 CET | 80 | 49727 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:18.801892042 CET | 49727 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:18.802819014 CET | 49727 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:18.808285952 CET | 80 | 49727 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:18.946409941 CET | 49769 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:22:18.951695919 CET | 80 | 49769 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:22:18.951946020 CET | 49769 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:22:18.951946020 CET | 49769 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:22:18.956809044 CET | 80 | 49769 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:22:19.623764038 CET | 80 | 49769 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:22:19.623900890 CET | 49769 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:22:19.931107044 CET | 49776 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:19.936481953 CET | 80 | 49776 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:22:19.936592102 CET | 49776 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:19.936713934 CET | 49776 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:19.941548109 CET | 80 | 49776 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:22:20.790091991 CET | 80 | 49776 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:22:20.790141106 CET | 49776 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:20.910666943 CET | 80 | 49776 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:22:20.910723925 CET | 49776 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:21.014872074 CET | 49776 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:21.019705057 CET | 80 | 49776 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:22:21.334338903 CET | 49769 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:22:21.372437000 CET | 49788 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:21.377631903 CET | 80 | 49788 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:21.377721071 CET | 49788 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:21.379038095 CET | 49788 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:21.383939981 CET | 80 | 49788 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:29.862993956 CET | 80 | 49788 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:29.863054037 CET | 49788 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:29.881849051 CET | 49788 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:29.886674881 CET | 80 | 49788 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:30.098277092 CET | 49830 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:30.103286028 CET | 80 | 49830 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:30.103346109 CET | 49830 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:30.121573925 CET | 49830 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:30.126328945 CET | 80 | 49830 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:38.613482952 CET | 80 | 49830 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:38.613595963 CET | 49830 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:38.613682032 CET | 49830 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:38.623114109 CET | 80 | 49830 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:38.722513914 CET | 49879 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:22:38.728853941 CET | 80 | 49879 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:22:38.728940964 CET | 49879 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:22:38.729095936 CET | 49879 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:22:38.735745907 CET | 80 | 49879 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:22:39.356230974 CET | 80 | 49879 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:22:39.356293917 CET | 49879 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:22:39.473020077 CET | 49885 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:39.478363991 CET | 80 | 49885 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:22:39.478429079 CET | 49885 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:39.478585005 CET | 49885 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:39.483625889 CET | 80 | 49885 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:22:40.327507973 CET | 80 | 49885 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:22:40.327774048 CET | 49885 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:40.328604937 CET | 49885 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:40.333887100 CET | 80 | 49885 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:22:40.334078074 CET | 49885 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:40.458249092 CET | 49891 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:40.463155985 CET | 80 | 49891 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:40.463218927 CET | 49891 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:40.463457108 CET | 49891 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:40.468452930 CET | 80 | 49891 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:48.943344116 CET | 80 | 49891 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:48.943455935 CET | 49891 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:48.943556070 CET | 49891 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:48.948431015 CET | 80 | 49891 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:49.048841953 CET | 49938 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:49.244505882 CET | 80 | 49938 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:49.244627953 CET | 49938 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:49.244889975 CET | 49938 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:49.250520945 CET | 80 | 49938 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:57.730891943 CET | 80 | 49938 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:57.731117010 CET | 49938 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:57.731396914 CET | 49938 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:57.737569094 CET | 80 | 49938 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:57.845740080 CET | 49879 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:22:57.851000071 CET | 80 | 49879 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:22:58.006225109 CET | 80 | 49879 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:22:58.006313086 CET | 49879 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:22:58.111692905 CET | 49983 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:58.116714954 CET | 80 | 49983 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:22:58.116844893 CET | 49983 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:58.116975069 CET | 49983 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:58.122034073 CET | 80 | 49983 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:22:58.960884094 CET | 80 | 49983 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:22:58.961028099 CET | 49983 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:58.961680889 CET | 49983 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:58.967068911 CET | 80 | 49983 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:22:58.967174053 CET | 49983 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:22:59.164309025 CET | 49989 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:59.171665907 CET | 80 | 49989 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:59.171740055 CET | 49989 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:59.171910048 CET | 49989 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:22:59.179641008 CET | 80 | 49989 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:22:59.198824883 CET | 49879 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:23:07.664866924 CET | 80 | 49989 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:07.664946079 CET | 49989 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:07.665075064 CET | 49989 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:07.671092987 CET | 80 | 49989 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:07.770239115 CET | 49995 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:07.775208950 CET | 80 | 49995 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:07.775275946 CET | 49995 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:07.775427103 CET | 49995 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:07.781164885 CET | 80 | 49995 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:16.258625031 CET | 80 | 49995 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:16.258858919 CET | 49995 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:16.258964062 CET | 49995 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:16.263895988 CET | 80 | 49995 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:16.363836050 CET | 49996 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:23:16.368704081 CET | 80 | 49996 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:23:16.368832111 CET | 49996 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:23:16.369029999 CET | 49996 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:23:16.373948097 CET | 80 | 49996 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:23:16.998203993 CET | 80 | 49996 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:23:16.999344110 CET | 49996 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:23:17.113670111 CET | 49997 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:17.118648052 CET | 80 | 49997 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:23:17.118756056 CET | 49997 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:17.118930101 CET | 49997 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:17.123893976 CET | 80 | 49997 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:23:17.946367025 CET | 80 | 49997 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:23:17.946496964 CET | 49997 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:17.947376966 CET | 49997 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:17.953336000 CET | 80 | 49997 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:23:17.953429937 CET | 49997 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:18.174122095 CET | 49998 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:18.178965092 CET | 80 | 49998 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:18.179079056 CET | 49998 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:18.179202080 CET | 49998 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:18.184884071 CET | 80 | 49998 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:26.666126966 CET | 80 | 49998 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:26.666239023 CET | 49998 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:26.666894913 CET | 49998 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:26.671761990 CET | 80 | 49998 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:26.783461094 CET | 49999 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:26.788388968 CET | 80 | 49999 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:26.788496971 CET | 49999 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:26.788692951 CET | 49999 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:26.793488979 CET | 80 | 49999 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:35.272134066 CET | 80 | 49999 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:35.272305965 CET | 49999 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:35.584564924 CET | 49999 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:35.589785099 CET | 80 | 49999 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:35.704993963 CET | 49996 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:23:35.705331087 CET | 50001 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:23:35.949032068 CET | 80 | 50001 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:23:35.949049950 CET | 80 | 49996 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:23:35.949227095 CET | 49996 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:23:35.949491024 CET | 50001 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:23:35.949491024 CET | 50001 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:23:35.954333067 CET | 80 | 50001 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:23:36.587837934 CET | 80 | 50001 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:23:36.587987900 CET | 50001 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:23:36.707745075 CET | 50002 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:36.712996006 CET | 80 | 50002 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:23:36.713123083 CET | 50002 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:36.713290930 CET | 50002 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:36.718462944 CET | 80 | 50002 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:23:37.569514036 CET | 80 | 50002 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:23:37.569660902 CET | 50002 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:37.570275068 CET | 50002 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:37.575691938 CET | 80 | 50002 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:23:37.575784922 CET | 50002 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:37.785546064 CET | 50003 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:37.790853024 CET | 80 | 50003 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:37.791059017 CET | 50003 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:37.791393042 CET | 50003 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:37.796550035 CET | 80 | 50003 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:46.286544085 CET | 80 | 50003 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:46.286757946 CET | 50003 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:46.286849022 CET | 50003 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:46.292210102 CET | 80 | 50003 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:46.394058943 CET | 50004 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:46.399414062 CET | 80 | 50004 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:46.399585009 CET | 50004 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:46.399684906 CET | 50004 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:46.404730082 CET | 80 | 50004 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:55.051572084 CET | 80 | 50004 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:55.051681042 CET | 50004 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:55.051805973 CET | 50004 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:55.061794043 CET | 80 | 50004 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:55.160034895 CET | 50001 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:23:55.160506010 CET | 50005 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:23:55.165766001 CET | 80 | 50005 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:23:55.165920019 CET | 50005 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:23:55.166052103 CET | 50005 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:23:55.166197062 CET | 80 | 50001 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:23:55.166510105 CET | 50001 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:23:55.171382904 CET | 80 | 50005 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:23:55.834677935 CET | 80 | 50005 | 15.197.204.56 | 192.168.2.6 |
Nov 1, 2024 16:23:55.834896088 CET | 50005 | 80 | 192.168.2.6 | 15.197.204.56 |
Nov 1, 2024 16:23:55.984436989 CET | 50006 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:55.989382982 CET | 80 | 50006 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:23:55.989495993 CET | 50006 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:55.993933916 CET | 50006 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:55.998883009 CET | 80 | 50006 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:23:56.826276064 CET | 80 | 50006 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:23:56.826488018 CET | 50006 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:56.827167034 CET | 50006 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:56.833173990 CET | 80 | 50006 | 52.34.198.229 | 192.168.2.6 |
Nov 1, 2024 16:23:56.833265066 CET | 50006 | 80 | 192.168.2.6 | 52.34.198.229 |
Nov 1, 2024 16:23:57.049094915 CET | 50007 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:57.054111958 CET | 80 | 50007 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:23:57.054290056 CET | 50007 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:57.054321051 CET | 50007 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:23:57.059246063 CET | 80 | 50007 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:24:05.543088913 CET | 80 | 50007 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:24:05.543153048 CET | 50007 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:24:05.544028997 CET | 50007 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:24:05.548784018 CET | 80 | 50007 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:24:05.681745052 CET | 50009 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:24:05.688043118 CET | 80 | 50009 | 193.166.255.171 | 192.168.2.6 |
Nov 1, 2024 16:24:05.688153028 CET | 50009 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:24:05.688517094 CET | 50009 | 80 | 192.168.2.6 | 193.166.255.171 |
Nov 1, 2024 16:24:05.694778919 CET | 80 | 50009 | 193.166.255.171 | 192.168.2.6 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 1, 2024 16:22:01.499181032 CET | 51438 | 53 | 192.168.2.6 | 1.1.1.1 |
Nov 1, 2024 16:22:01.686541080 CET | 53 | 51438 | 1.1.1.1 | 192.168.2.6 |
Nov 1, 2024 16:22:18.910053015 CET | 53668 | 53 | 192.168.2.6 | 1.1.1.1 |
Nov 1, 2024 16:22:18.944542885 CET | 53 | 53668 | 1.1.1.1 | 192.168.2.6 |
Nov 1, 2024 16:22:19.737744093 CET | 56857 | 53 | 192.168.2.6 | 1.1.1.1 |
Nov 1, 2024 16:22:19.930011988 CET | 53 | 56857 | 1.1.1.1 | 192.168.2.6 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Nov 1, 2024 16:22:01.499181032 CET | 192.168.2.6 | 1.1.1.1 | 0xe98c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Nov 1, 2024 16:22:18.910053015 CET | 192.168.2.6 | 1.1.1.1 | 0xb18f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Nov 1, 2024 16:22:19.737744093 CET | 192.168.2.6 | 1.1.1.1 | 0xd36b | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Nov 1, 2024 16:22:01.686541080 CET | 1.1.1.1 | 192.168.2.6 | 0xe98c | No error (0) | 193.166.255.171 | A (IP address) | IN (0x0001) | false | ||
Nov 1, 2024 16:22:18.944542885 CET | 1.1.1.1 | 192.168.2.6 | 0xb18f | No error (0) | 15.197.204.56 | A (IP address) | IN (0x0001) | false | ||
Nov 1, 2024 16:22:18.944542885 CET | 1.1.1.1 | 192.168.2.6 | 0xb18f | No error (0) | 3.33.243.145 | A (IP address) | IN (0x0001) | false | ||
Nov 1, 2024 16:22:19.930011988 CET | 1.1.1.1 | 192.168.2.6 | 0xd36b | No error (0) | 52.34.198.229 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.6 | 49709 | 193.166.255.171 | 80 | 3756 | C:\Users\user\AppData\Roaming\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:22:01.699565887 CET | 186 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.6 | 49727 | 193.166.255.171 | 80 | 3756 | C:\Users\user\AppData\Roaming\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:22:10.321299076 CET | 185 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.6 | 49769 | 15.197.204.56 | 80 | 3756 | C:\Users\user\AppData\Roaming\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:22:18.951946020 CET | 191 | OUT | |
Nov 1, 2024 16:22:19.623764038 CET | 259 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.6 | 49776 | 52.34.198.229 | 80 | 3756 | C:\Users\user\AppData\Roaming\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:22:19.936713934 CET | 191 | OUT | |
Nov 1, 2024 16:22:20.790091991 CET | 419 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.6 | 49788 | 193.166.255.171 | 80 | 1268 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:22:21.379038095 CET | 186 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.6 | 49830 | 193.166.255.171 | 80 | 1268 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:22:30.121573925 CET | 186 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.6 | 49879 | 15.197.204.56 | 80 | 1268 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:22:38.729095936 CET | 190 | OUT | |
Nov 1, 2024 16:22:39.356230974 CET | 259 | IN | |
Nov 1, 2024 16:22:57.845740080 CET | 191 | OUT | |
Nov 1, 2024 16:22:58.006225109 CET | 259 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
7 | 192.168.2.6 | 49885 | 52.34.198.229 | 80 | 1268 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:22:39.478585005 CET | 301 | OUT | |
Nov 1, 2024 16:22:40.327507973 CET | 340 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
8 | 192.168.2.6 | 49891 | 193.166.255.171 | 80 | 1268 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:22:40.463457108 CET | 186 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
9 | 192.168.2.6 | 49938 | 193.166.255.171 | 80 | 1268 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:22:49.244889975 CET | 186 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
10 | 192.168.2.6 | 49983 | 52.34.198.229 | 80 | 1268 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:22:58.116975069 CET | 301 | OUT | |
Nov 1, 2024 16:22:58.960884094 CET | 340 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
11 | 192.168.2.6 | 49989 | 193.166.255.171 | 80 | 3908 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:22:59.171910048 CET | 161 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
12 | 192.168.2.6 | 49995 | 193.166.255.171 | 80 | 3908 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:23:07.775427103 CET | 161 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
13 | 192.168.2.6 | 49996 | 15.197.204.56 | 80 | 3908 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:23:16.369029999 CET | 166 | OUT | |
Nov 1, 2024 16:23:16.998203993 CET | 259 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
14 | 192.168.2.6 | 49997 | 52.34.198.229 | 80 | 3908 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:23:17.118930101 CET | 278 | OUT | |
Nov 1, 2024 16:23:17.946367025 CET | 340 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
15 | 192.168.2.6 | 49998 | 193.166.255.171 | 80 | 3908 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:23:18.179202080 CET | 169 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
16 | 192.168.2.6 | 49999 | 193.166.255.171 | 80 | 3908 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:23:26.788692951 CET | 168 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
17 | 192.168.2.6 | 50001 | 15.197.204.56 | 80 | 3908 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:23:35.949491024 CET | 174 | OUT | |
Nov 1, 2024 16:23:36.587837934 CET | 259 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
18 | 192.168.2.6 | 50002 | 52.34.198.229 | 80 | 3908 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:23:36.713290930 CET | 286 | OUT | |
Nov 1, 2024 16:23:37.569514036 CET | 340 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
19 | 192.168.2.6 | 50003 | 193.166.255.171 | 80 | 3908 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:23:37.791393042 CET | 169 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
20 | 192.168.2.6 | 50004 | 193.166.255.171 | 80 | 3908 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:23:46.399684906 CET | 169 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
21 | 192.168.2.6 | 50005 | 15.197.204.56 | 80 | 3908 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:23:55.166052103 CET | 174 | OUT | |
Nov 1, 2024 16:23:55.834677935 CET | 259 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
22 | 192.168.2.6 | 50006 | 52.34.198.229 | 80 | 3908 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:23:55.993933916 CET | 286 | OUT | |
Nov 1, 2024 16:23:56.826276064 CET | 340 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
23 | 192.168.2.6 | 50007 | 193.166.255.171 | 80 | 3908 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:23:57.054321051 CET | 168 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
24 | 192.168.2.6 | 50009 | 193.166.255.171 | 80 | 3908 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 1, 2024 16:24:05.688517094 CET | 169 | OUT |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 11:21:59 |
Start date: | 01/11/2024 |
Path: | C:\Users\user\Desktop\nNX5KYQRhg.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 82'768 bytes |
MD5 hash: | 44A881B87BB2D5DFE7062B9A7538425F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 11:21:59 |
Start date: | 01/11/2024 |
Path: | C:\Users\user\AppData\Roaming\omsecor.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 82'768 bytes |
MD5 hash: | DCC8263D314F19A3A35E32EDFCCDC942 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 5 |
Start time: | 11:22:20 |
Start date: | 01/11/2024 |
Path: | C:\Windows\SysWOW64\omsecor.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 82'768 bytes |
MD5 hash: | 1FB6FB78751B952FE1D6BEBA89C93830 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 8 |
Start time: | 11:22:58 |
Start date: | 01/11/2024 |
Path: | C:\Windows\SysWOW64\omsecor.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 82'768 bytes |
MD5 hash: | 1FB6FB78751B952FE1D6BEBA89C93830 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 2.3% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 11.9% |
Total number of Nodes: | 1144 |
Total number of Limit Nodes: | 6 |
Graph
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040ABD9 Relevance: 3.0, APIs: 2, Instructions: 26fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040B346 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 153sleepfileCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040AC20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407727 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004077F0 Relevance: 3.0, APIs: 2, Instructions: 30processCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004039EA Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 163memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004032B8 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 86libraryloadermemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408248 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 116sleepfilesynchronizationCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040350F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 185memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401C41 Relevance: 11.7, Strings: 9, Instructions: 462COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407499 Relevance: 9.1, APIs: 6, Instructions: 62timeCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A057 Relevance: 4.5, APIs: 3, Instructions: 40comCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406CB5 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040B51C Relevance: .7, Instructions: 666COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040B096 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 181threadnetworkCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004027E6 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 355comCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004041E4 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 210registrymemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040451B Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 205registrymemoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409C99 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 127memorynetworkfileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409301 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 105memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405229 Relevance: 16.6, APIs: 3, Strings: 8, Instructions: 134sleepCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406ADF Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 136registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A156 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004047CC Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 226memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407362 Relevance: 13.6, APIs: 9, Instructions: 114timesynchronizationCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409909 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 79memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408F26 Relevance: 12.2, APIs: 8, Instructions: 164COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040AC93 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 105sleepCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A786 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 121sleepmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040253C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113sleepprocessfileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004094B6 Relevance: 10.6, APIs: 7, Instructions: 81COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A245 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040782A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60filetimeCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407E2B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 54fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408604 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53registryfileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409A99 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 43memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A8F9 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 161sleepmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409DF4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110networkfileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409808 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040978D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406C77 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409581 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 6.6% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0% |
Total number of Nodes: | 1147 |
Total number of Limit Nodes: | 6 |
Graph
Function 0040ABD9 Relevance: 3.0, APIs: 2, Instructions: 26fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040B346 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 153sleepfileCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409C99 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 127memorynetworkfileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A786 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 121sleepmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040782A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60filetimeCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407E2B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 54fileCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040AC20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407727 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004077F0 Relevance: 3.0, APIs: 2, Instructions: 30processCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406D14 Relevance: 3.0, APIs: 2, Instructions: 22networkCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004039EA Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 163memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004032B8 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 86libraryloadermemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408248 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 116sleepfilesynchronizationCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040350F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 185memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040B096 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 181threadnetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004027E6 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 355comCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004041E4 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 210registrymemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040451B Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 205registrymemoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409301 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 105memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405229 Relevance: 16.6, APIs: 3, Strings: 8, Instructions: 134sleepCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406ADF Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 136registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A156 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004047CC Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 226memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407362 Relevance: 13.6, APIs: 9, Instructions: 114timesynchronizationCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409909 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 79memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408F26 Relevance: 12.2, APIs: 8, Instructions: 164COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040AC93 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 105sleepCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040253C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113sleepprocessfileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004094B6 Relevance: 10.6, APIs: 7, Instructions: 81COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A245 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408604 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53registryfileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409A99 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 43memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A8F9 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 161sleepmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407499 Relevance: 9.1, APIs: 6, Instructions: 62timeCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409DF4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110networkfileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409808 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040978D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406C77 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409581 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|