Windows
Analysis Report
lkOawAWJRO.exe
Overview
General Information
Sample name: | lkOawAWJRO.exerenamed because original name is a hash value |
Original sample name: | 1b05ebbfcec15b251b93721338e525c8.exe |
Analysis ID: | 1532112 |
MD5: | 1b05ebbfcec15b251b93721338e525c8 |
SHA1: | 475e17fb4ea6e1d41b18086c541c338b862e1bf4 |
SHA256: | ab30569e57ecb3c3d674890e89a90bebe8884071053a48c2a18dbf8ffc8aa7c3 |
Tags: | 32exetrojan |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- lkOawAWJRO.exe (PID: 5648 cmdline:
"C:\Users\ user\Deskt op\lkOawAW JRO.exe" MD5: 1B05EBBFCEC15B251B93721338E525C8) - service123.exe (PID: 1048 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\servic e123.exe" MD5: 751D09B372396BF3012988CD55D9E27E) - schtasks.exe (PID: 6432 cmdline:
"C:\Window s\System32 \schtasks. exe" /crea te /tn "Se rviceData4 " /tr "C:\ Users\user \AppData\L ocal\Temp\ /service12 3.exe" /st 00:01 /du 9800:59 / sc once /r i 1 /f MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 1848 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- service123.exe (PID: 1628 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\/servic e123.exe MD5: 751D09B372396BF3012988CD55D9E27E)
- service123.exe (PID: 5672 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\/servic e123.exe MD5: 751D09B372396BF3012988CD55D9E27E)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CryptBot | A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. | No Attribution |
{"C2 list": ["sevtvr17pt.top", "analforeverlovyu.top", "+sevtvr17pt.top"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security | ||
JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_Cryptbot | Yara detected Cryptbot | Joe Security | ||
JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-12T12:30:12.478180+0200 | 2054350 | 1 | A Network Trojan was detected | 192.168.2.5 | 49704 | 80.66.81.78 | 80 | TCP |
2024-10-12T12:30:16.140581+0200 | 2054350 | 1 | A Network Trojan was detected | 192.168.2.5 | 49705 | 80.66.81.78 | 80 | TCP |
2024-10-12T12:30:21.029581+0200 | 2054350 | 1 | A Network Trojan was detected | 192.168.2.5 | 49718 | 80.66.81.78 | 80 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Code function: | 5_2_006C15B0 | |
Source: | Code function: | 5_2_6C2114B0 |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Code function: | 5_2_006C81E0 | |
Source: | Code function: | 5_2_6C28AEC0 | |
Source: | Code function: | 5_2_6C28AF70 | |
Source: | Code function: | 5_2_6C28AF70 | |
Source: | Code function: | 5_2_6C230860 | |
Source: | Code function: | 5_2_6C23A970 | |
Source: | Code function: | 5_2_6C23A9E0 | |
Source: | Code function: | 5_2_6C23A9E0 | |
Source: | Code function: | 5_2_6C22EB10 | |
Source: | Code function: | 5_2_6C234453 | |
Source: | Code function: | 5_2_6C2B84A0 | |
Source: | Code function: | 5_2_6C23C510 | |
Source: | Code function: | 5_2_6C23A580 | |
Source: | Code function: | 5_2_6C23A5F0 | |
Source: | Code function: | 5_2_6C23A5F0 | |
Source: | Code function: | 5_2_6C23E6E0 | |
Source: | Code function: | 5_2_6C23E6E0 | |
Source: | Code function: | 5_2_6C2B0730 | |
Source: | Code function: | 5_2_6C230740 | |
Source: | Code function: | 5_2_6C28C040 | |
Source: | Code function: | 5_2_6C28C1A0 | |
Source: | Code function: | 5_2_6C26A1E0 | |
Source: | Code function: | 5_2_6C230260 | |
Source: | Code function: | 5_2_6C2E4360 | |
Source: | Code function: | 5_2_6C28BD10 | |
Source: | Code function: | 5_2_6C287D10 | |
Source: | Code function: | 5_2_6C283840 | |
Source: | Code function: | 5_2_6C23D974 | |
Source: | Code function: | 5_2_6C269B60 | |
Source: | Code function: | 5_2_6C24BBD7 | |
Source: | Code function: | 5_2_6C24BBDB | |
Source: | Code function: | 5_2_6C28B4D0 | |
Source: | Code function: | 5_2_6C23D504 | |
Source: | Code function: | 5_2_6C289600 | |
Source: | Code function: | 5_2_6C23D674 | |
Source: | Code function: | 5_2_6C283690 | |
Source: | Code function: | 5_2_6C23D7F4 | |
Source: | Code function: | 5_2_6C2B3140 | |
Source: | Code function: | 5_2_6C22B1D0 | |
Source: | Code function: | 5_2_6C23D2A0 | |
Source: | Code function: | 5_2_6C2A7350 |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 5_2_6C229C22 |
Source: | Code function: | 5_2_6C229C22 | |
Source: | Code function: | 5_2_6C229D11 |
Source: | Code function: | 5_2_6C229E27 |
System Summary |
---|
Source: | File dump: | Jump to dropped file |
Source: | Code function: | 5_2_006C51B0 | |
Source: | Code function: | 5_2_006C3E20 | |
Source: | Code function: | 5_2_6C252CCE | |
Source: | Code function: | 5_2_6C21CD00 | |
Source: | Code function: | 5_2_6C21EE50 | |
Source: | Code function: | 5_2_6C220FC0 | |
Source: | Code function: | 5_2_6C260AC0 | |
Source: | Code function: | 5_2_6C2244F0 | |
Source: | Code function: | 5_2_6C2546E0 | |
Source: | Code function: | 5_2_6C2487C0 | |
Source: | Code function: | 5_2_6C2507D0 | |
Source: | Code function: | 5_2_6C260060 | |
Source: | Code function: | 5_2_6C252090 | |
Source: | Code function: | 5_2_6C242360 | |
Source: | Code function: | 5_2_6C26DC70 | |
Source: | Code function: | 5_2_6C225880 | |
Source: | Code function: | 5_2_6C2498F0 | |
Source: | Code function: | 5_2_6C257A20 | |
Source: | Code function: | 5_2_6C25DBEE | |
Source: | Code function: | 5_2_6C25140E | |
Source: | Code function: | 5_2_6C261510 | |
Source: | Code function: | 5_2_6C25F610 | |
Source: | Code function: | 5_2_6C23F760 | |
Source: | Code function: | 5_2_6C213000 | |
Source: | Code function: | 5_2_6C2270C0 | |
Source: | Code function: | 5_2_6C2D50D0 |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Virustotal: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 5_2_006C8230 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 5_2_006CA694 | |
Source: | Code function: | 5_2_6C2C0DAA | |
Source: | Code function: | 5_2_6C28EE33 | |
Source: | Code function: | 5_2_6C264E45 | |
Source: | Code function: | 5_2_6C258E8E | |
Source: | Code function: | 5_2_6C25A95B | |
Source: | Code function: | 5_2_6C260AB6 | |
Source: | Code function: | 5_2_6C27909F | |
Source: | Code function: | 5_2_6C262AC0 | |
Source: | Code function: | 5_2_6C28EBDB | |
Source: | Code function: | 5_2_6C292F24 | |
Source: | Code function: | 5_2_6C292F43 | |
Source: | Code function: | 5_2_6C258449 | |
Source: | Code function: | 5_2_6C278A5F | |
Source: | Code function: | 5_2_6C2504A1 | |
Source: | Code function: | 5_2_6C2506DA | |
Source: | Code function: | 5_2_6C2E6622 | |
Source: | Code function: | 5_2_6C2E6622 | |
Source: | Code function: | 5_2_6C25A5BB | |
Source: | Code function: | 5_2_6C292954 | |
Source: | Code function: | 5_2_6C292973 | |
Source: | Code function: | 5_2_6C2506DA | |
Source: | Code function: | 5_2_6C2506DA | |
Source: | Code function: | 5_2_6C2686A9 | |
Source: | Code function: | 5_2_6C2A0A4F | |
Source: | Code function: | 5_2_6C256707 | |
Source: | Code function: | 5_2_6C2506DA | |
Source: | Code function: | 5_2_6C2506DA | |
Source: | Code function: | 5_2_6C25A78B | |
Source: | Code function: | 5_2_6C260056 | |
Source: | Code function: | 5_2_6C2E6AF6 |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | Process created: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Evasive API call chain: | graph_5-160334 |
Source: | Stalling execution: | graph_5-160335 |
Source: | Registry key queried: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | API coverage: |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 5_2_006C8230 |
Source: | Code function: | 5_2_006C116C | |
Source: | Code function: | 5_2_006C1160 | |
Source: | Code function: | 5_2_006C11A3 | |
Source: | Code function: | 5_2_006C13C9 |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 5_2_6C2984D0 |
Source: | Registry key value queried: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Scheduled Task/Job | 1 Scheduled Task/Job | 11 Process Injection | 1 Masquerading | 1 OS Credential Dumping | 11 Security Software Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 11 Native API | 1 DLL Side-Loading | 1 Scheduled Task/Job | 2 Virtualization/Sandbox Evasion | LSASS Memory | 2 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 2 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 11 Process Injection | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 112 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 3 Obfuscated Files or Information | LSA Secrets | 22 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
34% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
sevtvr17pt.top | 80.66.81.78 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true | unknown | ||
true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | unknown | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
80.66.81.78 | sevtvr17pt.top | Russian Federation | 202984 | TEAM-HOSTASRU | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1532112 |
Start date and time: | 2024-10-12 12:29:10 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 36s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 10 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | lkOawAWJRO.exerenamed because original name is a hash value |
Original Sample Name: | 1b05ebbfcec15b251b93721338e525c8.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@8/2@1/1 |
EGA Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target lkOawAWJRO.exe, PID 5648 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
06:30:11 | API Interceptor | |
06:31:36 | API Interceptor | |
12:31:04 | Task Scheduler |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
80.66.81.78 | Get hash | malicious | LummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar | Browse |
| |
Get hash | malicious | LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLine | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
TEAM-HOSTASRU | Get hash | malicious | LummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar | Browse |
| |
Get hash | malicious | LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLine | Browse |
| ||
Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Hook | Browse |
| ||
Get hash | malicious | DCRat, zgRAT | Browse |
| ||
Get hash | malicious | DCRat, zgRAT | Browse |
|
Process: | C:\Users\user\Desktop\lkOawAWJRO.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 315803136 |
Entropy (8bit): | 0.054352357918072115 |
Encrypted: | false |
SSDEEP: | 24576:enUSRBO/35zIY7/KcNtHoptIIRvmd48WPn/T3fMoV7FcRlNVE:fBIZmNWPnzflVBcRlNVE |
MD5: | C6604F3E41D007E0CB931CCD5779BB10 |
SHA1: | 02233E9E95514AC467E392FB296671ACBEF5A567 |
SHA-256: | 8870B0C9D5FB2EE08EE7496B39E63E4AFC782715AC947E3D08A1973F80682FF3 |
SHA-512: | 0D0DA2DC6E8EDC121FE986B75EDE17612620607592052AF80CE0A4380AE5139E8C205C204801CEBCDE5ECA637691FA695B5935716E8A7BA971DAFEDBA02C2F6F |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\lkOawAWJRO.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 314617856 |
Entropy (8bit): | 0.0023405856158797084 |
Encrypted: | false |
SSDEEP: | |
MD5: | 751D09B372396BF3012988CD55D9E27E |
SHA1: | 46640B9F3461D7C057B3D086F607736995188A2E |
SHA-256: | 4CEECBCC75B8876D5C0B47977628835F575DC497922CA6154215D2BDC4F0FEC2 |
SHA-512: | EFBA8A3F21413E9B390DD7E0E8F264D3534F37F3592887F50A856BB17149027541AAE3E663F18F87515FD6C5311D0EA424CC6FE767E2331C376E0D8954484AF4 |
Malicious: | true |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 5.315284808680583 |
TrID: |
|
File name: | lkOawAWJRO.exe |
File size: | 6'840'320 bytes |
MD5: | 1b05ebbfcec15b251b93721338e525c8 |
SHA1: | 475e17fb4ea6e1d41b18086c541c338b862e1bf4 |
SHA256: | ab30569e57ecb3c3d674890e89a90bebe8884071053a48c2a18dbf8ffc8aa7c3 |
SHA512: | 4a947908cd362d359b76d7b8a7cf16635a0712ad35e0fe787441ca07f4d56eedd8f08ed5e04983f9d390efa30bae7e7e27f6d2328baa505a06435a26a720f150 |
SSDEEP: | 49152:bJlOWXpWa3IO7tr7ppOdVDFQejeP7eevRwk8pJ4bK5l1dCSzbL7YI4oCK6yjzcwp:bJlzFP7hCVhQeSP7eepwbpJ4b |
TLSH: | 33667175DEDB42E6C6C30AB6A085F17F6D30FB018C39D6B6DE81DF55E361A22D588880 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...............(..H..\h...............H...@...........................h.....*.h...@... ............................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x4014a0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x6708C098 [Fri Oct 11 06:07:20 2024 UTC] |
TLS Callbacks: | 0x401800, 0x4017b0 |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 41db2083dac89343aef584a51a80b293 |
Instruction |
---|
mov dword ptr [00A1E070h], 00000001h |
jmp 00007F2B446FFD96h |
nop |
mov dword ptr [00A1E070h], 00000000h |
jmp 00007F2B446FFD86h |
nop |
sub esp, 1Ch |
mov eax, dword ptr [esp+20h] |
mov dword ptr [esp], eax |
call 00007F2B4470E43Eh |
cmp eax, 01h |
sbb eax, eax |
add esp, 1Ch |
ret |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
push ebp |
mov ebp, esp |
push edi |
push esi |
push ebx |
sub esp, 1Ch |
mov dword ptr [esp], 00A0C000h |
call dword ptr [00A1F23Ch] |
sub esp, 04h |
test eax, eax |
je 00007F2B44700155h |
mov ebx, eax |
mov dword ptr [esp], 00A0C000h |
call dword ptr [00A1F270h] |
mov edi, dword ptr [00A1F248h] |
sub esp, 04h |
mov dword ptr [00A1E028h], eax |
mov dword ptr [esp+04h], 00A0C013h |
mov dword ptr [esp], ebx |
call edi |
sub esp, 08h |
mov esi, eax |
mov dword ptr [esp+04h], 00A0C029h |
mov dword ptr [esp], ebx |
call edi |
sub esp, 08h |
mov dword ptr [0088C004h], eax |
test esi, esi |
je 00007F2B447000F3h |
mov dword ptr [esp+04h], 00A1E02Ch |
mov dword ptr [esp], 00A1B104h |
call esi |
mov dword ptr [esp], 00401580h |
call 00007F2B44700043h |
lea esp, dword ptr [ebp-0Ch] |
pop ebx |
pop esi |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x61f000 | 0xb78 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x622000 | 0x6a154 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x619384 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x61f21c | 0x1cc | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x48aad8 | 0x48ac00 | 806202804bf4c24de0f8300a3a9b40a7 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x48c000 | 0x17f4e0 | 0x17f600 | 8aa117933a6ff49251c12302fdfe7d83 | False | 0.03556954576948158 | dBase III DBT, version number 0, next free block index 10, 1st item "MLF" | 0.5297491567291164 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x60c000 | 0xe464 | 0xe600 | 582e05c74fe3f623cd52b496b12ef3c7 | False | 0.244140625 | data | 5.923017472134589 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.eh_fram | 0x61b000 | 0x210c | 0x2200 | 181f5d0343865bf128e68ee095cc4580 | False | 0.32077205882352944 | data | 4.80280643259238 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.bss | 0x61e000 | 0xb74 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0x61f000 | 0xb78 | 0xc00 | e2f431baedb52b8ca3510abfc99cf0eb | False | 0.4046223958333333 | data | 5.058618501212495 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.CRT | 0x620000 | 0x30 | 0x200 | 947565758601e59a9e2e145caaaaefe2 | False | 0.064453125 | data | 0.2044881574398449 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0x621000 | 0x8 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0x622000 | 0x6a154 | 0x6a200 | 5f9ba49bd303717456e9f47e8a1f6017 | False | 0.1503331124852768 | data | 6.796403850541748 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
DLL | Import |
---|---|
ADVAPI32.dll | CryptAcquireContextA, CryptGenRandom, CryptReleaseContext |
KERNEL32.dll | DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetNativeSystemInfo, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetThreadLocale, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA |
msvcrt.dll | __getmainargs, __initenv, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _exit, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, _wcsnicmp, abort, atoi, bsearch, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, mbstowcs, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, qsort, realloc, remove, setlocale, signal, strchr, strcmp, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _write, _utime, _open, _fileno, _close, _chmod |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-12T12:30:12.478180+0200 | 2054350 | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 | 1 | 192.168.2.5 | 49704 | 80.66.81.78 | 80 | TCP |
2024-10-12T12:30:16.140581+0200 | 2054350 | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 | 1 | 192.168.2.5 | 49705 | 80.66.81.78 | 80 | TCP |
2024-10-12T12:30:21.029581+0200 | 2054350 | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 | 1 | 192.168.2.5 | 49718 | 80.66.81.78 | 80 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 12, 2024 12:30:11.331562042 CEST | 49704 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:11.336744070 CEST | 80 | 49704 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:11.336822033 CEST | 49704 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:11.336981058 CEST | 49704 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:11.337016106 CEST | 49704 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:11.341888905 CEST | 80 | 49704 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:11.341917992 CEST | 80 | 49704 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:12.478060007 CEST | 80 | 49704 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:12.478101969 CEST | 80 | 49704 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:12.478131056 CEST | 80 | 49704 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:12.478179932 CEST | 49704 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:12.478179932 CEST | 49704 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:12.478199005 CEST | 80 | 49704 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:12.478271008 CEST | 49704 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:12.478301048 CEST | 49704 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:12.488202095 CEST | 80 | 49704 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.082030058 CEST | 49705 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:16.087038040 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.087249041 CEST | 49705 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:16.087483883 CEST | 49705 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:16.087483883 CEST | 49705 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:16.092536926 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.092549086 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.092554092 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.092567921 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.092572927 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.092577934 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.092581987 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.092592955 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.092626095 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.092714071 CEST | 49705 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:16.092746973 CEST | 49705 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:16.097130060 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.097217083 CEST | 49705 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:16.097608089 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.097626925 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.097642899 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.097677946 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.097697020 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.097714901 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.097796917 CEST | 49705 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:16.140352011 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.140580893 CEST | 49705 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:16.188368082 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.188477993 CEST | 49705 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:16.236394882 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.236463070 CEST | 49705 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:16.284456015 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.284528971 CEST | 49705 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:16.332376957 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.332446098 CEST | 49705 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:16.384387970 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:16.574300051 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:17.035027981 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:17.035078049 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:17.035239935 CEST | 49705 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:17.035239935 CEST | 49705 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:17.040086031 CEST | 80 | 49705 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.188007116 CEST | 49718 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:20.192914009 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.192986012 CEST | 49718 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:20.193109989 CEST | 49718 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:20.193164110 CEST | 49718 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:20.197974920 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.197993994 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.198014975 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.198024035 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.198033094 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.198054075 CEST | 49718 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:20.198054075 CEST | 49718 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:20.198111057 CEST | 49718 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:20.198362112 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.198378086 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.198390961 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.198400021 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.198417902 CEST | 49718 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:20.198453903 CEST | 49718 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:20.198456049 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.202964067 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.202972889 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.202992916 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.203006029 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.203020096 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.203028917 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:20.244374037 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:21.029442072 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:21.029581070 CEST | 49718 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:21.029589891 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Oct 12, 2024 12:30:21.029669046 CEST | 49718 | 80 | 192.168.2.5 | 80.66.81.78 |
Oct 12, 2024 12:30:21.034449100 CEST | 80 | 49718 | 80.66.81.78 | 192.168.2.5 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 12, 2024 12:30:10.547028065 CEST | 51668 | 53 | 192.168.2.5 | 1.1.1.1 |
Oct 12, 2024 12:30:11.323900938 CEST | 53 | 51668 | 1.1.1.1 | 192.168.2.5 |
Oct 12, 2024 12:30:20.692953110 CEST | 53 | 64553 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Oct 12, 2024 12:30:10.547028065 CEST | 192.168.2.5 | 1.1.1.1 | 0xfe8b | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Oct 12, 2024 12:30:11.323900938 CEST | 1.1.1.1 | 192.168.2.5 | 0xfe8b | No error (0) | 80.66.81.78 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.5 | 49704 | 80.66.81.78 | 80 | 5648 | C:\Users\user\Desktop\lkOawAWJRO.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Oct 12, 2024 12:30:11.336981058 CEST | 333 | OUT | |
Oct 12, 2024 12:30:11.337016106 CEST | 412 | OUT | |
Oct 12, 2024 12:30:12.478060007 CEST | 209 | IN | |
Oct 12, 2024 12:30:12.478199005 CEST | 209 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.5 | 49705 | 80.66.81.78 | 80 | 5648 | C:\Users\user\Desktop\lkOawAWJRO.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Oct 12, 2024 12:30:16.087483883 CEST | 335 | OUT | |
Oct 12, 2024 12:30:16.087483883 CEST | 11124 | OUT | |
Oct 12, 2024 12:30:16.092714071 CEST | 18540 | OUT | |
Oct 12, 2024 12:30:16.092746973 CEST | 2472 | OUT | |
Oct 12, 2024 12:30:16.097217083 CEST | 2472 | OUT | |
Oct 12, 2024 12:30:16.097796917 CEST | 14832 | OUT | |
Oct 12, 2024 12:30:16.140580893 CEST | 34608 | OUT | |
Oct 12, 2024 12:30:16.188477993 CEST | 1236 | OUT | |
Oct 12, 2024 12:30:16.236463070 CEST | 1236 | OUT | |
Oct 12, 2024 12:30:16.284528971 CEST | 1236 | OUT | |
Oct 12, 2024 12:30:16.332446098 CEST | 2045 | OUT | |
Oct 12, 2024 12:30:17.035027981 CEST | 209 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.5 | 49718 | 80.66.81.78 | 80 | 5648 | C:\Users\user\Desktop\lkOawAWJRO.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Oct 12, 2024 12:30:20.193109989 CEST | 335 | OUT | |
Oct 12, 2024 12:30:20.193164110 CEST | 11124 | OUT | |
Oct 12, 2024 12:30:20.198054075 CEST | 1236 | OUT | |
Oct 12, 2024 12:30:20.198054075 CEST | 2472 | OUT | |
Oct 12, 2024 12:30:20.198111057 CEST | 7416 | OUT | |
Oct 12, 2024 12:30:20.198417902 CEST | 4944 | OUT | |
Oct 12, 2024 12:30:20.198453903 CEST | 2831 | OUT | |
Oct 12, 2024 12:30:21.029442072 CEST | 209 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 06:30:01 |
Start date: | 12/10/2024 |
Path: | C:\Users\user\Desktop\lkOawAWJRO.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x140000 |
File size: | 6'840'320 bytes |
MD5 hash: | 1B05EBBFCEC15B251B93721338E525C8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 5 |
Start time: | 06:31:02 |
Start date: | 12/10/2024 |
Path: | C:\Users\user\AppData\Local\Temp\service123.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6c0000 |
File size: | 314'617'856 bytes |
MD5 hash: | 751D09B372396BF3012988CD55D9E27E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 6 |
Start time: | 06:31:02 |
Start date: | 12/10/2024 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xeb0000 |
File size: | 187'904 bytes |
MD5 hash: | 48C2FE20575769DE916F48EF0676A965 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 06:31:02 |
Start date: | 12/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 8 |
Start time: | 06:31:05 |
Start date: | 12/10/2024 |
Path: | C:\Users\user\AppData\Local\Temp\service123.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6c0000 |
File size: | 314'617'856 bytes |
MD5 hash: | 751D09B372396BF3012988CD55D9E27E |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 9 |
Start time: | 06:32:03 |
Start date: | 12/10/2024 |
Path: | C:\Users\user\AppData\Local\Temp\service123.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6c0000 |
File size: | 314'617'856 bytes |
MD5 hash: | 751D09B372396BF3012988CD55D9E27E |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage: | 0.1% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 46.5% |
Total number of Nodes: | 99 |
Total number of Limit Nodes: | 3 |
Graph
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C229C22 Relevance: 15.1, APIs: 10, Instructions: 110sleepclipboardCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006C81E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116libraryloaderCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006C8230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C229B70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32sleepsynchronizationclipboardCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006C1296 Relevance: 5.1, APIs: 4, Instructions: 80stringCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006C13BB Relevance: 5.1, APIs: 4, Instructions: 66stringCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C22B3F0 Relevance: 1.4, APIs: 1, Instructions: 144COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C22B560 Relevance: 1.3, APIs: 1, Instructions: 95COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C220FC0 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1647stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2984D0 Relevance: 17.7, Strings: 14, Instructions: 166COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21EE50 Relevance: 12.5, APIs: 8, Instructions: 494COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C23E6E0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 219stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C229D11 Relevance: 12.0, APIs: 8, Instructions: 46clipboardmemorystringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C230860 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2270C0 Relevance: 9.6, APIs: 6, Instructions: 649COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006C3E20 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2244F0 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C23C510 Relevance: 2.5, Strings: 2, Instructions: 42COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C230740 Relevance: 2.5, Strings: 2, Instructions: 42COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2546E0 Relevance: 2.1, APIs: 1, Instructions: 873COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C252CCE Relevance: 2.1, APIs: 1, Instructions: 811COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C25140E Relevance: 2.1, APIs: 1, Instructions: 811COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C252090 Relevance: 2.0, APIs: 1, Instructions: 790COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2507D0 Relevance: 2.0, APIs: 1, Instructions: 789COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C23F760 Relevance: 2.0, APIs: 1, Instructions: 770stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C257A20 Relevance: 1.9, APIs: 1, Instructions: 678COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C242360 Relevance: 1.6, APIs: 1, Instructions: 357COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C26DC70 Relevance: 1.6, APIs: 1, Instructions: 328COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C269B60 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C22EB10 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C230260 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C25DBEE Relevance: .8, Instructions: 838COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C261510 Relevance: .7, Instructions: 684COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C260060 Relevance: .7, Instructions: 683COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C260AC0 Relevance: .7, Instructions: 674COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C25F610 Relevance: .7, Instructions: 671COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C234453 Relevance: .5, Instructions: 465COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C213000 Relevance: .4, Instructions: 356COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2D50D0 Relevance: .3, Instructions: 292COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C28AF70 Relevance: .2, Instructions: 202COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2A7350 Relevance: .2, Instructions: 200COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C28C1A0 Relevance: .2, Instructions: 181COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C24BBD7 Relevance: .1, Instructions: 87COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C289600 Relevance: .1, Instructions: 84COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C23D2A0 Relevance: .1, Instructions: 83COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C287D10 Relevance: .1, Instructions: 81COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C24BBDB Relevance: .1, Instructions: 78COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C28AEC0 Relevance: .1, Instructions: 67COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C28BD10 Relevance: .1, Instructions: 67COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C28B4D0 Relevance: .1, Instructions: 58COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C28C040 Relevance: .1, Instructions: 57COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2B84A0 Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C23D504 Relevance: .0, Instructions: 48COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2E4360 Relevance: .0, Instructions: 46COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C26A1E0 Relevance: .0, Instructions: 18COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C23D974 Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C23D674 Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C23D7F4 Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C22B1D0 Relevance: .0, Instructions: 13COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C212290 Relevance: 42.4, APIs: 28, Instructions: 354COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21B7A0 Relevance: 42.2, APIs: 28, Instructions: 162COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2129F0 Relevance: 42.1, APIs: 28, Instructions: 78COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2128BB Relevance: 42.1, APIs: 28, Instructions: 73COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C212A6E Relevance: 42.1, APIs: 28, Instructions: 71COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C212B13 Relevance: 42.1, APIs: 28, Instructions: 69COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C212AAD Relevance: 42.1, APIs: 28, Instructions: 65COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21B930 Relevance: 40.6, APIs: 27, Instructions: 135COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21BFCC Relevance: 39.1, APIs: 26, Instructions: 63COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21BEE7 Relevance: 37.6, APIs: 25, Instructions: 83COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21BC1B Relevance: 37.6, APIs: 25, Instructions: 55COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21BE00 Relevance: 37.5, APIs: 25, Instructions: 46COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21BE70 Relevance: 37.5, APIs: 25, Instructions: 46COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21BDC7 Relevance: 37.5, APIs: 25, Instructions: 44COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21BE98 Relevance: 37.5, APIs: 25, Instructions: 43COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21BDE8 Relevance: 37.5, APIs: 25, Instructions: 42COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21C150 Relevance: 36.3, APIs: 24, Instructions: 284COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21C470 Relevance: 33.2, APIs: 22, Instructions: 152COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21D570 Relevance: 28.6, APIs: 19, Instructions: 116COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21D67C Relevance: 28.5, APIs: 19, Instructions: 32COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21D6C0 Relevance: 27.1, APIs: 18, Instructions: 138COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21D855 Relevance: 25.5, APIs: 17, Instructions: 45COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C22C330 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21D8A8 Relevance: 24.1, APIs: 16, Instructions: 52COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21DA90 Relevance: 22.6, APIs: 15, Instructions: 136COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21DCE0 Relevance: 21.1, APIs: 14, Instructions: 74COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21DD80 Relevance: 19.6, APIs: 13, Instructions: 77COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C220310 Relevance: 18.2, APIs: 12, Instructions: 165COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006C1940 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21A690 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21E0A0 Relevance: 16.6, APIs: 11, Instructions: 98COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21E570 Relevance: 15.1, APIs: 10, Instructions: 145COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21E59B Relevance: 15.1, APIs: 10, Instructions: 89COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21E714 Relevance: 15.0, APIs: 10, Instructions: 35COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C229249 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 31libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21FEE0 Relevance: 13.7, APIs: 9, Instructions: 186synchronizationCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21E760 Relevance: 13.6, APIs: 9, Instructions: 67COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006C14E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2113E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2373C0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 237stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21E800 Relevance: 12.1, APIs: 8, Instructions: 89COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006C1E70 Relevance: 12.1, APIs: 8, Instructions: 84COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C23B810 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C237710 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 211stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21E8E0 Relevance: 10.7, APIs: 7, Instructions: 183COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21E340 Relevance: 10.6, APIs: 7, Instructions: 126synchronizationCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2201F0 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006C8120 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C229171 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21EA9B Relevance: 10.5, APIs: 7, Instructions: 21COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2B4AE0 Relevance: 10.2, APIs: 8, Instructions: 158COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2B0970 Relevance: 10.2, APIs: 8, Instructions: 150COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21EB70 Relevance: 9.2, APIs: 6, Instructions: 203COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C22B060 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C211020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C231F00 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C231C50 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21ED31 Relevance: 9.0, APIs: 6, Instructions: 19COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C22E0D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130windowCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C219490 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 375stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C28D810 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 153stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21F840 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2D8520 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C229530 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C220290 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006C80D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C229128 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C229293 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21A340 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2E0F90 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 283stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C23E980 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C23E581 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 115stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006C7C40 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C229660 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21F511 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21F6B0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2155A8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006C1001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C289F70 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2A5DB0 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2A55D0 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2A4DD0 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2A45D0 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C22E1F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2377B1 Relevance: 5.1, APIs: 4, Instructions: 128stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006C6B60 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C228080 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006C2000 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C21AB50 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|