Windows
Analysis Report
cOviNFmw21.exe
Overview
General Information
Sample name: | cOviNFmw21.exerenamed because original name is a hash value |
Original sample name: | 7a492eaf1df94ad3ffea031e184f81099ed752dce08e77aba9ed657ead97dc3f.exe |
Analysis ID: | 1569326 |
MD5: | 73e5f0f01bf8368b8b82432b027610e5 |
SHA1: | ecf068b47a2747e0ef0286c6f9d03f2f8aacfaa7 |
SHA256: | 7a492eaf1df94ad3ffea031e184f81099ed752dce08e77aba9ed657ead97dc3f |
Tags: | exeuser-adrian__luca |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- cOviNFmw21.exe (PID: 5344 cmdline:
"C:\Users\ user\Deskt op\cOviNFm w21.exe" MD5: 73E5F0F01BF8368B8B82432B027610E5) - omsecor.exe (PID: 3808 cmdline:
C:\Users\u ser\AppDat a\Roaming\ omsecor.ex e MD5: 9CB842FFDA5CC91A433FD8C8655C0678) - omsecor.exe (PID: 1732 cmdline:
C:\Windows \System32\ omsecor.ex e MD5: 647527DE20AF8BB173C26019E8811EED) - omsecor.exe (PID: 6904 cmdline:
C:\Windows \SysWOW64\ omsecor.ex e /nomove MD5: 647527DE20AF8BB173C26019E8811EED)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Neconyd | No Attribution |
{"C2 url": ["http://mkkuei4kdsz.com/", "http://lousta.net/", "http://ow5dirasuek.com/"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Neconyd | Yara detected Neconyd | Joe Security | ||
JoeSecurity_Neconyd | Yara detected Neconyd | Joe Security | ||
JoeSecurity_Neconyd | Yara detected Neconyd | Joe Security | ||
JoeSecurity_Neconyd | Yara detected Neconyd | Joe Security |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-05T18:04:08.431834+0100 | 2016998 | 1 | A Network Trojan was detected | 192.168.2.7 | 49699 | 193.166.255.171 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-05T18:04:36.659257+0100 | 2018141 | 1 | A Network Trojan was detected | 52.34.198.229 | 80 | 192.168.2.7 | 49748 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-05T18:04:36.659257+0100 | 2037771 | 1 | A Network Trojan was detected | 52.34.198.229 | 80 | 192.168.2.7 | 49748 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-05T18:04:10.619663+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49699 | 193.166.255.171 | 80 | TCP |
2024-12-05T18:04:32.754783+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49700 | 193.166.255.171 | 80 | TCP |
2024-12-05T18:04:34.471615+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49742 | 15.197.204.56 | 80 | TCP |
2024-12-05T18:04:36.659210+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49748 | 52.34.198.229 | 80 | TCP |
2024-12-05T18:04:59.095440+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49754 | 193.166.255.171 | 80 | TCP |
2024-12-05T18:05:21.253614+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49803 | 193.166.255.171 | 80 | TCP |
2024-12-05T18:05:22.615655+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49851 | 15.197.204.56 | 80 | TCP |
2024-12-05T18:05:24.218147+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49857 | 52.34.198.229 | 80 | TCP |
2024-12-05T18:05:46.346450+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49862 | 193.166.255.171 | 80 | TCP |
2024-12-05T18:06:08.472191+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49913 | 193.166.255.171 | 80 | TCP |
2024-12-05T18:06:09.821016+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49965 | 15.197.204.56 | 80 | TCP |
2024-12-05T18:06:11.428062+0100 | 2015786 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49969 | 52.34.198.229 | 80 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Code function: | 1_2_0040ABD9 | |
Source: | Code function: | 11_2_0040ABD9 |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | Code function: | 1_2_00407036 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Code function: | 1_2_0040D2A4 | |
Source: | Code function: | 1_2_0040B51C | |
Source: | Code function: | 1_2_0040CBD0 | |
Source: | Code function: | 11_2_0040D2A4 | |
Source: | Code function: | 11_2_0040B51C | |
Source: | Code function: | 11_2_0040CBD0 |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 1_2_0040A057 |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Evasive API call chain: | graph_1-3557 | ||
Source: | Evasive API call chain: | graph_11-3558 |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 1_2_0040D2A3 | |
Source: | Code function: | 1_2_0040CBC8 | |
Source: | Code function: | 11_2_0040D2A3 | |
Source: | Code function: | 11_2_0040CBC8 |
Persistence and Installation Behavior |
---|
Source: | Executable created and started: | Jump to behavior |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | Evasive API call chain: | graph_1-3591 | ||
Source: | Evasive API call chain: | graph_1-3591 | ||
Source: | Evasive API call chain: | graph_11-3591 | ||
Source: | Evasive API call chain: | graph_11-3591 |
Source: | Evasive API call chain: | graph_11-3525 | ||
Source: | Evasive API call chain: | graph_1-3544 | ||
Source: | Evasive API call chain: | graph_1-3654 | ||
Source: | Evasive API call chain: | graph_11-3670 |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Code function: | 1_2_0040ABD9 | |
Source: | Code function: | 11_2_0040ABD9 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API call chain: | graph_1-3675 | ||
Source: | API call chain: | graph_11-3675 |
Source: | Code function: | 1_2_0040D00B |
Source: | Code function: | 1_2_004075D4 |
Source: | Code function: | 1_2_0040D00B | |
Source: | Code function: | 11_2_0040D00B |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 1_2_0040CB03 |
Source: | Code function: | 1_2_00407267 |
Source: | Code function: | 1_2_00407499 |
Source: | Code function: | 1_2_00406CB5 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 2 Process Injection | 121 Masquerading | OS Credential Dumping | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 11 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | LSASS Memory | 121 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 2 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 2 Process Injection | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | 12 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 13 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
97% | ReversingLabs | Win32.Trojan.ButeRat | ||
100% | Avira | HEUR/AGEN.1317135 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | HEUR/AGEN.1317135 | ||
100% | Avira | HEUR/AGEN.1317135 | ||
100% | Joe Sandbox ML | |||
100% | Joe Sandbox ML | |||
96% | ReversingLabs | Win32.Trojan.ButeRat |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing | ||
100% | Avira URL Cloud | phishing |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
lousta.net | 193.166.255.171 | true | true | unknown | |
mkkuei4kdsz.com | 15.197.204.56 | true | true | unknown | |
ow5dirasuek.com | 52.34.198.229 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
193.166.255.171 | lousta.net | Finland | 1741 | FUNETASFI | true | |
52.34.198.229 | ow5dirasuek.com | United States | 16509 | AMAZON-02US | true | |
15.197.204.56 | mkkuei4kdsz.com | United States | 7430 | TANDEMUS | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1569326 |
Start date and time: | 2024-12-05 18:03:12 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 40s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 16 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | cOviNFmw21.exerenamed because original name is a hash value |
Original Sample Name: | 7a492eaf1df94ad3ffea031e184f81099ed752dce08e77aba9ed657ead97dc3f.exe |
Detection: | MAL |
Classification: | mal100.bank.troj.evad.winEXE@7/3@3/3 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: cOviNFmw21.exe
Time | Type | Description |
---|---|---|
12:04:09 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
193.166.255.171 | Get hash | malicious | Neconyd | Browse |
| |
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Pushdo | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
52.34.198.229 | Get hash | malicious | Simda Stealer | Browse |
| |
Get hash | malicious | Simda Stealer | Browse |
| ||
Get hash | malicious | Simda Stealer | Browse |
| ||
Get hash | malicious | Simda Stealer | Browse |
| ||
Get hash | malicious | Simda Stealer | Browse |
| ||
Get hash | malicious | Simda Stealer | Browse |
| ||
Get hash | malicious | Simda Stealer | Browse |
| ||
Get hash | malicious | Simda Stealer | Browse |
| ||
Get hash | malicious | Simda Stealer | Browse |
| ||
Get hash | malicious | Simda Stealer | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ow5dirasuek.com | Get hash | malicious | Neconyd | Browse |
| |
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
mkkuei4kdsz.com | Get hash | malicious | Neconyd | Browse |
| |
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
lousta.net | Get hash | malicious | Neconyd | Browse |
| |
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
| ||
Get hash | malicious | Neconyd | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
FUNETASFI | Get hash | malicious | Gafgyt, Mirai | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai, Okiru | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
AMAZON-02US | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
TANDEMUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Users\user\Desktop\cOviNFmw21.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 4.700261069108173 |
Encrypted: | false |
SSDEEP: | 768:gMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:gbIvYvZEyFKF6N4yS+AQmZcl/5 |
MD5: | 9CB842FFDA5CC91A433FD8C8655C0678 |
SHA1: | 9A94A3A65ADE88A164E0D7ED451D26B7AF41F6FB |
SHA-256: | 99C4637BFD77D17EC3A9D8A7D95C65C8045720A083F6741776AA8147ACF89C99 |
SHA-512: | D24054996135B838E73C795A5FBDC1054D985E56E7C9743501D8F46AF071292C98AEF444733BBD07F9B08613FD92B3459453B0D648B0C037D94347F7D9075409 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\omsecor.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 100 |
Entropy (8bit): | 1.8777353867706772 |
Encrypted: | false |
SSDEEP: | 3:gtqyumdZp8zFmLV:gwDmL+zFmx |
MD5: | 7BEA8C5EE2FE04D87297BECD6315EA16 |
SHA1: | 7FF580C4573D8DFABBCD7E5F01B20F64BE6FC40D |
SHA-256: | 91A102D381A67E229350136926A23C0A4F25245DC3CB1C199C08D16845201782 |
SHA-512: | 7B795789B138A8FE45C6CF6368A105292DA520F6483BA446CBE03F5C011AFFE15326885DEBAF604AB6F59BD293A23876D9083B82577B9EA6DA97200900D58AC2 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Roaming\omsecor.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 4.700257409382838 |
Encrypted: | false |
SSDEEP: | 768:TMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:TbIvYvZEyFKF6N4yS+AQmZcl/5 |
MD5: | 647527DE20AF8BB173C26019E8811EED |
SHA1: | 94665B1D056473F1F209127995ACDE6AD83B7916 |
SHA-256: | 552EDA5BFCFCAFD98BB4DF40AD07D19E9FEC270B31DF8888DAF865FE91B99127 |
SHA-512: | 8B44ED709643DF262C700C549F225E4E1A745302BF29DBB3C9E252ADE696E5CE910A46C59D7B8131BAC76D7168826BF1969C3D9A880182BC3E4FE0A756477762 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 4.700177279604877 |
TrID: |
|
File name: | cOviNFmw21.exe |
File size: | 65'536 bytes |
MD5: | 73e5f0f01bf8368b8b82432b027610e5 |
SHA1: | ecf068b47a2747e0ef0286c6f9d03f2f8aacfaa7 |
SHA256: | 7a492eaf1df94ad3ffea031e184f81099ed752dce08e77aba9ed657ead97dc3f |
SHA512: | 46d0172face375c9f10315a571080a1d6af155e4b7209eafb8caf5b90e9761219afeffa54eff935b5d915b009bfbfefe65bd4ee0c7f8207c21291d74f0726791 |
SSDEEP: | 768:NMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:NbIvYvZEyFKF6N4yS+AQmZcl/5 |
TLSH: | CB538D9472F9803AE2B20D745D7E988189BEBD7826F0C5C6D3115C8B6DB46C2D53B3A3 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m.m.m...m.m.m...m^..m...m^..m...m...m...m.m.m...m.m.m...mRich...m................PE..L......P................... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x40b346 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x50B1DFF8 [Sun Nov 25 09:08:08 2012 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 08b67a9663d3a8c9505f3b2561bbdd1c |
Instruction |
---|
push ebp |
mov ebp, esp |
mov eax, 00001800h |
call 00007FBE948D94C2h |
push ebx |
push esi |
push edi |
mov edi, dword ptr [0040E0B0h] |
mov esi, 00000400h |
push esi |
lea eax, dword ptr [ebp-00000800h] |
push eax |
xor ebx, ebx |
push ebx |
call edi |
push 0040F4FCh |
lea eax, dword ptr [ebp-00000800h] |
call 00007FBE948D137Ah |
test eax, eax |
pop ecx |
je 00007FBE948D72BFh |
lea eax, dword ptr [ebp-00001800h] |
push eax |
call 00007FBE948D6AF6h |
test eax, eax |
pop ecx |
jne 00007FBE948D72AEh |
push esi |
lea eax, dword ptr [ebp-00000800h] |
push eax |
push ebx |
call edi |
push 00000001h |
lea eax, dword ptr [ebp-00000800h] |
push eax |
push 0040F414h |
push 0040F1D8h |
push 80000001h |
call 00007FBE948D28A6h |
add esp, 14h |
test eax, eax |
push 00000004h |
je 00007FBE948D7267h |
push ebx |
push 00000003h |
jmp 00007FBE948D726Bh |
call dword ptr [0040E064h] |
push eax |
push 00000006h |
call 00007FBE948D6613h |
add esp, 0Ch |
call 00007FBE948D7153h |
call 00007FBE948D697Dh |
test eax, eax |
jne 00007FBE948D7254h |
call 00007FBE948D69F3h |
test eax, eax |
je 00007FBE948D72C3h |
push 00002710h |
call dword ptr [0040E070h] |
push 00000004h |
push ebx |
push 00000009h |
call 00007FBE948D65E4h |
add esp, 0Ch |
push esi |
lea eax, dword ptr [ebp+00000000h] |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xf77c | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xf6a8 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xe000 | 0x1b4 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xcc18 | 0xce00 | 714a894e8b5f787903d790e888652926 | False | 0.3713971480582524 | data | 4.766581687246585 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0xe000 | 0x2144 | 0x2200 | 80dd2fa89c5c981edf446c3b17f9e467 | False | 0.4460018382352941 | data | 4.452292898356236 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x11000 | 0x1712c | 0x200 | 9159e4683d74ea27f29c3b096294f663 | False | 0.466796875 | data | 3.7016590486098133 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
DLL | Import |
---|---|
WININET.dll | HttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetSetPerSiteCookieDecisionW, InternetOpenUrlW, InternetAttemptConnect, InternetOpenW, InternetReadFile, InternetClearAllPerSiteCookieDecisions, InternetCloseHandle, InternetQueryDataAvailable, InternetSetOptionW |
SHLWAPI.dll | StrStrIW, PathMatchSpecW, PathCombineW, wvnsprintfW, StrStrIA, PathRemoveFileSpecW |
KERNEL32.dll | TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, GetVersionExA, HeapReAlloc, RtlUnwind, WideCharToMultiByte, MultiByteToWideChar, HeapCreate, CopyFileW, CreateThread, WaitForMultipleObjects, GetTickCount, DeleteFileW, CreateProcessW, SetUnhandledExceptionFilter, ExitProcess, GetLastError, LoadLibraryW, GetProcAddress, Sleep, VirtualProtect, GetPrivateProfileIntW, ExpandEnvironmentStringsW, GetPrivateProfileStringW, FindFirstFileW, SetFilePointer, SetEndOfFile, GetVersionExW, HeapAlloc, SetWaitableTimer, SystemTimeToFileTime, CreateWaitableTimerW, FindNextFileW, HeapFree, ReadFile, GetModuleFileNameW, GetFileTime, WaitForSingleObject, GetTimeZoneInformation, CreateFileW, CloseHandle, GetFileSizeEx, VirtualFree, GetProcessHeap, GetCurrentDirectoryW, VirtualAlloc, VirtualQuery, GetSystemTime, GetFileSize, FindClose, WriteFile, GetLocalTime, GetModuleHandleW, GetCommandLineW |
USER32.dll | GetWindowLongW, DispatchMessageW, GetForegroundWindow, CharLowerW, CreateWindowExW, FindWindowW, PeekMessageW, SetForegroundWindow, GetSystemMetrics, MessageBoxW, SetWindowPos, SetWindowLongW, SetParent |
ADVAPI32.dll | RegOpenKeyExW, RegEnumKeyExW, RegQueryValueExW, RegSetValueExW, RegCreateKeyExW, RegCloseKey |
SHELL32.dll | SHGetFolderPathW |
ole32.dll | CoCreateInstance, OleInitialize, CoInitialize |
OLEAUT32.dll | SysFreeString, VariantInit, SysAllocString, VariantClear |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-05T18:04:08.431834+0100 | 2016998 | ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host) | 1 | 192.168.2.7 | 49699 | 193.166.255.171 | 80 | TCP |
2024-12-05T18:04:10.619663+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.7 | 49699 | 193.166.255.171 | 80 | TCP |
2024-12-05T18:04:32.754783+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.7 | 49700 | 193.166.255.171 | 80 | TCP |
2024-12-05T18:04:34.471615+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.7 | 49742 | 15.197.204.56 | 80 | TCP |
2024-12-05T18:04:36.659210+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.7 | 49748 | 52.34.198.229 | 80 | TCP |
2024-12-05T18:04:36.659257+0100 | 2018141 | ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz | 1 | 52.34.198.229 | 80 | 192.168.2.7 | 49748 | TCP |
2024-12-05T18:04:36.659257+0100 | 2037771 | ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst | 1 | 52.34.198.229 | 80 | 192.168.2.7 | 49748 | TCP |
2024-12-05T18:04:59.095440+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.7 | 49754 | 193.166.255.171 | 80 | TCP |
2024-12-05T18:05:21.253614+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.7 | 49803 | 193.166.255.171 | 80 | TCP |
2024-12-05T18:05:22.615655+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.7 | 49851 | 15.197.204.56 | 80 | TCP |
2024-12-05T18:05:24.218147+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.7 | 49857 | 52.34.198.229 | 80 | TCP |
2024-12-05T18:05:46.346450+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.7 | 49862 | 193.166.255.171 | 80 | TCP |
2024-12-05T18:06:08.472191+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.7 | 49913 | 193.166.255.171 | 80 | TCP |
2024-12-05T18:06:09.821016+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.7 | 49965 | 15.197.204.56 | 80 | TCP |
2024-12-05T18:06:11.428062+0100 | 2015786 | ET MALWARE Ransom.Win32.Birele.gsg Checkin | 1 | 192.168.2.7 | 49969 | 52.34.198.229 | 80 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 5, 2024 18:04:08.431833982 CET | 49699 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:08.551768064 CET | 80 | 49699 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:04:08.551852942 CET | 49699 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:08.552088976 CET | 49699 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:08.915066957 CET | 49699 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:09.274391890 CET | 49699 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:09.395318985 CET | 80 | 49699 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:04:09.432813883 CET | 80 | 49699 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:04:09.435251951 CET | 80 | 49699 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:04:10.619582891 CET | 80 | 49699 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:04:10.619663000 CET | 49699 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:10.620363951 CET | 49699 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:10.729116917 CET | 49700 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:10.740194082 CET | 80 | 49699 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:04:10.849241972 CET | 80 | 49700 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:04:10.849334955 CET | 49700 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:10.849632978 CET | 49700 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:10.975996971 CET | 80 | 49700 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:04:32.753890991 CET | 80 | 49700 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:04:32.754782915 CET | 49700 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:32.754906893 CET | 49700 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:32.875406981 CET | 80 | 49700 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:04:33.247921944 CET | 49742 | 80 | 192.168.2.7 | 15.197.204.56 |
Dec 5, 2024 18:04:33.367659092 CET | 80 | 49742 | 15.197.204.56 | 192.168.2.7 |
Dec 5, 2024 18:04:33.367744923 CET | 49742 | 80 | 192.168.2.7 | 15.197.204.56 |
Dec 5, 2024 18:04:33.367984056 CET | 49742 | 80 | 192.168.2.7 | 15.197.204.56 |
Dec 5, 2024 18:04:33.487716913 CET | 80 | 49742 | 15.197.204.56 | 192.168.2.7 |
Dec 5, 2024 18:04:34.471554995 CET | 80 | 49742 | 15.197.204.56 | 192.168.2.7 |
Dec 5, 2024 18:04:34.471615076 CET | 49742 | 80 | 192.168.2.7 | 15.197.204.56 |
Dec 5, 2024 18:04:35.173968077 CET | 49748 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:04:35.294101000 CET | 80 | 49748 | 52.34.198.229 | 192.168.2.7 |
Dec 5, 2024 18:04:35.294208050 CET | 49748 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:04:35.294480085 CET | 49748 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:04:35.414170027 CET | 80 | 49748 | 52.34.198.229 | 192.168.2.7 |
Dec 5, 2024 18:04:36.659149885 CET | 80 | 49748 | 52.34.198.229 | 192.168.2.7 |
Dec 5, 2024 18:04:36.659209967 CET | 49748 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:04:36.659256935 CET | 80 | 49748 | 52.34.198.229 | 192.168.2.7 |
Dec 5, 2024 18:04:36.659306049 CET | 49748 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:04:36.663953066 CET | 49748 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:04:36.783663034 CET | 80 | 49748 | 52.34.198.229 | 192.168.2.7 |
Dec 5, 2024 18:04:37.054436922 CET | 49742 | 80 | 192.168.2.7 | 15.197.204.56 |
Dec 5, 2024 18:04:37.063429117 CET | 49754 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:37.183795929 CET | 80 | 49754 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:04:37.185534000 CET | 49754 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:37.187115908 CET | 49754 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:37.306962967 CET | 80 | 49754 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:04:59.095341921 CET | 80 | 49754 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:04:59.095439911 CET | 49754 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:59.096461058 CET | 49754 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:59.214235067 CET | 49803 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:59.216355085 CET | 80 | 49754 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:04:59.334084034 CET | 80 | 49803 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:04:59.334197998 CET | 49803 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:59.334496975 CET | 49803 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:04:59.454387903 CET | 80 | 49803 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:05:21.253506899 CET | 80 | 49803 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:05:21.253613949 CET | 49803 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:05:21.254290104 CET | 49803 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:05:21.373411894 CET | 49851 | 80 | 192.168.2.7 | 15.197.204.56 |
Dec 5, 2024 18:05:21.375205994 CET | 80 | 49803 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:05:21.493297100 CET | 80 | 49851 | 15.197.204.56 | 192.168.2.7 |
Dec 5, 2024 18:05:21.493427038 CET | 49851 | 80 | 192.168.2.7 | 15.197.204.56 |
Dec 5, 2024 18:05:21.493674040 CET | 49851 | 80 | 192.168.2.7 | 15.197.204.56 |
Dec 5, 2024 18:05:21.614376068 CET | 80 | 49851 | 15.197.204.56 | 192.168.2.7 |
Dec 5, 2024 18:05:22.615412951 CET | 80 | 49851 | 15.197.204.56 | 192.168.2.7 |
Dec 5, 2024 18:05:22.615654945 CET | 49851 | 80 | 192.168.2.7 | 15.197.204.56 |
Dec 5, 2024 18:05:22.732995987 CET | 49857 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:05:22.852768898 CET | 80 | 49857 | 52.34.198.229 | 192.168.2.7 |
Dec 5, 2024 18:05:22.853009939 CET | 49857 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:05:22.853296995 CET | 49857 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:05:22.973149061 CET | 80 | 49857 | 52.34.198.229 | 192.168.2.7 |
Dec 5, 2024 18:05:24.217924118 CET | 80 | 49857 | 52.34.198.229 | 192.168.2.7 |
Dec 5, 2024 18:05:24.217983961 CET | 80 | 49857 | 52.34.198.229 | 192.168.2.7 |
Dec 5, 2024 18:05:24.218147039 CET | 49857 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:05:24.218147039 CET | 49857 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:05:24.219597101 CET | 49857 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:05:24.334883928 CET | 49862 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:05:24.339363098 CET | 80 | 49857 | 52.34.198.229 | 192.168.2.7 |
Dec 5, 2024 18:05:24.454787970 CET | 80 | 49862 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:05:24.455008030 CET | 49862 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:05:24.455173969 CET | 49862 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:05:24.575201988 CET | 80 | 49862 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:05:46.346301079 CET | 80 | 49862 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:05:46.346450090 CET | 49862 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:05:46.346616030 CET | 49862 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:05:46.448956966 CET | 49913 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:05:46.466274023 CET | 80 | 49862 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:05:46.568967104 CET | 80 | 49913 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:05:46.569144964 CET | 49913 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:05:46.569494009 CET | 49913 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:05:46.689265966 CET | 80 | 49913 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:06:08.472119093 CET | 80 | 49913 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:06:08.472191095 CET | 49913 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:06:08.472381115 CET | 49913 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:06:08.590435982 CET | 49851 | 80 | 192.168.2.7 | 15.197.204.56 |
Dec 5, 2024 18:06:08.590816021 CET | 49965 | 80 | 192.168.2.7 | 15.197.204.56 |
Dec 5, 2024 18:06:08.592125893 CET | 80 | 49913 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:06:08.710678101 CET | 80 | 49965 | 15.197.204.56 | 192.168.2.7 |
Dec 5, 2024 18:06:08.710761070 CET | 49965 | 80 | 192.168.2.7 | 15.197.204.56 |
Dec 5, 2024 18:06:08.711038113 CET | 80 | 49851 | 15.197.204.56 | 192.168.2.7 |
Dec 5, 2024 18:06:08.711040020 CET | 49965 | 80 | 192.168.2.7 | 15.197.204.56 |
Dec 5, 2024 18:06:08.711081028 CET | 49851 | 80 | 192.168.2.7 | 15.197.204.56 |
Dec 5, 2024 18:06:08.831403017 CET | 80 | 49965 | 15.197.204.56 | 192.168.2.7 |
Dec 5, 2024 18:06:09.820947886 CET | 80 | 49965 | 15.197.204.56 | 192.168.2.7 |
Dec 5, 2024 18:06:09.821016073 CET | 49965 | 80 | 192.168.2.7 | 15.197.204.56 |
Dec 5, 2024 18:06:09.944407940 CET | 49969 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:06:10.065933943 CET | 80 | 49969 | 52.34.198.229 | 192.168.2.7 |
Dec 5, 2024 18:06:10.066041946 CET | 49969 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:06:10.066677094 CET | 49969 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:06:10.186336994 CET | 80 | 49969 | 52.34.198.229 | 192.168.2.7 |
Dec 5, 2024 18:06:11.427999020 CET | 80 | 49969 | 52.34.198.229 | 192.168.2.7 |
Dec 5, 2024 18:06:11.428061962 CET | 49969 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:06:11.428217888 CET | 80 | 49969 | 52.34.198.229 | 192.168.2.7 |
Dec 5, 2024 18:06:11.428270102 CET | 49969 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:06:11.428947926 CET | 49969 | 80 | 192.168.2.7 | 52.34.198.229 |
Dec 5, 2024 18:06:11.548582077 CET | 80 | 49969 | 52.34.198.229 | 192.168.2.7 |
Dec 5, 2024 18:06:11.667993069 CET | 49972 | 80 | 192.168.2.7 | 193.166.255.171 |
Dec 5, 2024 18:06:11.686968088 CET | 49965 | 80 | 192.168.2.7 | 15.197.204.56 |
Dec 5, 2024 18:06:11.787787914 CET | 80 | 49972 | 193.166.255.171 | 192.168.2.7 |
Dec 5, 2024 18:06:11.787935972 CET | 49972 | 80 | 192.168.2.7 | 193.166.255.171 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 5, 2024 18:04:07.947885990 CET | 53994 | 53 | 192.168.2.7 | 1.1.1.1 |
Dec 5, 2024 18:04:08.407656908 CET | 53 | 53994 | 1.1.1.1 | 192.168.2.7 |
Dec 5, 2024 18:04:32.883596897 CET | 59024 | 53 | 192.168.2.7 | 1.1.1.1 |
Dec 5, 2024 18:04:33.246804953 CET | 53 | 59024 | 1.1.1.1 | 192.168.2.7 |
Dec 5, 2024 18:04:34.591979027 CET | 51863 | 53 | 192.168.2.7 | 1.1.1.1 |
Dec 5, 2024 18:04:35.172810078 CET | 53 | 51863 | 1.1.1.1 | 192.168.2.7 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Dec 5, 2024 18:04:07.947885990 CET | 192.168.2.7 | 1.1.1.1 | 0xb8cf | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Dec 5, 2024 18:04:32.883596897 CET | 192.168.2.7 | 1.1.1.1 | 0x652c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Dec 5, 2024 18:04:34.591979027 CET | 192.168.2.7 | 1.1.1.1 | 0x1fdb | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Dec 5, 2024 18:04:08.407656908 CET | 1.1.1.1 | 192.168.2.7 | 0xb8cf | No error (0) | 193.166.255.171 | A (IP address) | IN (0x0001) | false | ||
Dec 5, 2024 18:04:33.246804953 CET | 1.1.1.1 | 192.168.2.7 | 0x652c | No error (0) | 15.197.204.56 | A (IP address) | IN (0x0001) | false | ||
Dec 5, 2024 18:04:33.246804953 CET | 1.1.1.1 | 192.168.2.7 | 0x652c | No error (0) | 3.33.243.145 | A (IP address) | IN (0x0001) | false | ||
Dec 5, 2024 18:04:35.172810078 CET | 1.1.1.1 | 192.168.2.7 | 0x1fdb | No error (0) | 52.34.198.229 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.7 | 49699 | 193.166.255.171 | 80 | 3808 | C:\Users\user\AppData\Roaming\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Dec 5, 2024 18:04:08.552088976 CET | 186 | OUT | |
Dec 5, 2024 18:04:08.915066957 CET | 186 | OUT | |
Dec 5, 2024 18:04:09.274391890 CET | 186 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.7 | 49700 | 193.166.255.171 | 80 | 3808 | C:\Users\user\AppData\Roaming\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Dec 5, 2024 18:04:10.849632978 CET | 186 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.7 | 49742 | 15.197.204.56 | 80 | 3808 | C:\Users\user\AppData\Roaming\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Dec 5, 2024 18:04:33.367984056 CET | 190 | OUT | |
Dec 5, 2024 18:04:34.471554995 CET | 259 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.7 | 49748 | 52.34.198.229 | 80 | 3808 | C:\Users\user\AppData\Roaming\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Dec 5, 2024 18:04:35.294480085 CET | 190 | OUT | |
Dec 5, 2024 18:04:36.659149885 CET | 415 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.7 | 49754 | 193.166.255.171 | 80 | 1732 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Dec 5, 2024 18:04:37.187115908 CET | 186 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.7 | 49803 | 193.166.255.171 | 80 | 1732 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Dec 5, 2024 18:04:59.334496975 CET | 185 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.7 | 49851 | 15.197.204.56 | 80 | 1732 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Dec 5, 2024 18:05:21.493674040 CET | 191 | OUT | |
Dec 5, 2024 18:05:22.615412951 CET | 259 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
7 | 192.168.2.7 | 49857 | 52.34.198.229 | 80 | 1732 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Dec 5, 2024 18:05:22.853296995 CET | 298 | OUT | |
Dec 5, 2024 18:05:24.217924118 CET | 338 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
8 | 192.168.2.7 | 49862 | 193.166.255.171 | 80 | 1732 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Dec 5, 2024 18:05:24.455173969 CET | 186 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
9 | 192.168.2.7 | 49913 | 193.166.255.171 | 80 | 1732 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Dec 5, 2024 18:05:46.569494009 CET | 185 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
10 | 192.168.2.7 | 49965 | 15.197.204.56 | 80 | 1732 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Dec 5, 2024 18:06:08.711040020 CET | 191 | OUT | |
Dec 5, 2024 18:06:09.820947886 CET | 259 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
11 | 192.168.2.7 | 49969 | 52.34.198.229 | 80 | 1732 | C:\Windows\SysWOW64\omsecor.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Dec 5, 2024 18:06:10.066677094 CET | 299 | OUT | |
Dec 5, 2024 18:06:11.427999020 CET | 338 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 1 |
Start time: | 12:04:06 |
Start date: | 05/12/2024 |
Path: | C:\Users\user\Desktop\cOviNFmw21.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 65'536 bytes |
MD5 hash: | 73E5F0F01BF8368B8B82432B027610E5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 12:04:06 |
Start date: | 05/12/2024 |
Path: | C:\Users\user\AppData\Roaming\omsecor.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 65'536 bytes |
MD5 hash: | 9CB842FFDA5CC91A433FD8C8655C0678 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 11 |
Start time: | 13:36:08 |
Start date: | 05/12/2024 |
Path: | C:\Windows\SysWOW64\omsecor.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 65'536 bytes |
MD5 hash: | 647527DE20AF8BB173C26019E8811EED |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 15 |
Start time: | 13:37:43 |
Start date: | 05/12/2024 |
Path: | C:\Windows\SysWOW64\omsecor.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 65'536 bytes |
MD5 hash: | 647527DE20AF8BB173C26019E8811EED |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 3.5% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 8.2% |
Total number of Nodes: | 693 |
Total number of Limit Nodes: | 13 |
Graph
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040ABD9 Relevance: 3.0, APIs: 2, Instructions: 26fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040B346 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 153sleepfileCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040AC20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407727 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004077F0 Relevance: 3.0, APIs: 2, Instructions: 30processCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407499 Relevance: 9.1, APIs: 6, Instructions: 62timeCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A057 Relevance: 4.5, APIs: 3, Instructions: 40comCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406CB5 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040B51C Relevance: .7, Instructions: 666COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040B096 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 181threadnetworkCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409C99 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 127memorynetworkfileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405229 Relevance: 16.6, APIs: 3, Strings: 8, Instructions: 134sleepCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409301 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 105memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406ADF Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 136registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A156 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407362 Relevance: 13.6, APIs: 9, Instructions: 114timesynchronizationCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409909 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 79memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040AC93 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 105sleepCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A786 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 121sleepmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004094B6 Relevance: 10.6, APIs: 7, Instructions: 81COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040782A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60filetimeCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407E2B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 54fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409A99 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 43memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A8F9 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 161sleepmemoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409000 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409DF4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110networkfileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A245 Relevance: 7.6, APIs: 5, Instructions: 61memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409808 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040978D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409581 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004072ED Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406C77 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 10.3% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0% |
Total number of Nodes: | 696 |
Total number of Limit Nodes: | 13 |
Graph
Function 0040ABD9 Relevance: 3.0, APIs: 2, Instructions: 26fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040B346 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 153sleepfileCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409C99 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 127memorynetworkfileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A786 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 121sleepmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040782A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60filetimeCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407E2B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 54fileCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040AC20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407727 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004077F0 Relevance: 3.0, APIs: 2, Instructions: 30processCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406D14 Relevance: 3.0, APIs: 2, Instructions: 22networkCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040B096 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 181threadnetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405229 Relevance: 16.6, APIs: 3, Strings: 8, Instructions: 134sleepCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409301 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 105memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406ADF Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 136registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A156 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407362 Relevance: 13.6, APIs: 9, Instructions: 114timesynchronizationCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409909 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 79memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040AC93 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 105sleepCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004094B6 Relevance: 10.6, APIs: 7, Instructions: 81COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409A99 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 43memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A8F9 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 161sleepmemoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409000 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407499 Relevance: 9.1, APIs: 6, Instructions: 62timeCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409DF4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110networkfileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A245 Relevance: 7.6, APIs: 5, Instructions: 61memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409808 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040978D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409581 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004072ED Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406C77 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|