Edit tour
Windows
Analysis Report
17345063495d9ff9a239e91022aad8f2d11b89f02854c4b148235396ec7a0562f12ac23b56442.dat-decoded.exe
Overview
General Information
| Sample name: | 17345063495d9ff9a239e91022aad8f2d11b89f02854c4b148235396ec7a0562f12ac23b56442.dat-decoded.exe |
| Analysis ID: | 1577171 |
| MD5: | 0d323be01f1a4edfd1c8e9f2c344a374 |
| SHA1: | 08a5cd24b9898676c2b6f8a88b5d42027c05085a |
| SHA256: | c81c405cc7c101ef8dd7c32a457c69495663f46c6039c5dc38e7e8b485b9840f |
| Tags: | base64-decodedexeuser-abuse_ch |
| Infos: |  |
 | |
Detection
Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
17345063495d9ff9a239e91022aad8f2d11b89f02854c4b148235396ec7a0562f12ac23b56442.dat-decoded.exe (PID: 5944 cmdline: "C:\Users\ user\Deskt op\1734506 3495d9ff9a 239e91022a ad8f2d11b8 9f02854c4b 148235396e c7a0562f12 ac23b56442 .dat-decod ed.exe" MD5: 0D323BE01F1A4EDFD1C8E9F2C344A374) 
conhost.exe (PID: 3184 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": ["177.106.216.153:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-GEAZH5", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| REMCOS_RAT_variants | unknown | unknown |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| REMCOS_RAT_variants | unknown | unknown |
| |
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| REMCOS_RAT_variants | unknown | unknown |
|
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T08:20:58.126704+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49985 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:21:23.711095+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49704 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:21:46.727434+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49721 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:22:09.776660+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49772 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:22:32.822940+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49828 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:22:55.900507+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49880 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:23:19.025988+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49933 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:23:42.046781+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49981 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:24:05.105282+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49982 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:24:28.136984+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49983 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:24:51.215452+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49984 | 177.106.216.153 | 2404 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 0_2_0042B1BA | |
| Source: | Binary or memory string: | memstr_3d0d0f38-6 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00408219 | |
| Source: | Code function: | 0_2_00407305 | |
| Source: | Code function: | 0_2_00407753 | |
| Source: | Code function: | 0_2_004147B5 | |
| Source: | Code function: | 0_2_004409E9 | |
| Source: | Code function: | 0_2_00405CAE | |
| Source: | Code function: | 0_2_00404D13 | |
| Source: | Code function: | 0_2_00407FFE | |
| Source: | Code function: | 0_2_0040513A | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | IPs: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_0041EE41 | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_0040F4C7 | |
| Source: | Code function: | 0_2_0040F4C7 | |
| Source: | Code function: | 0_2_0040F4C7 | |
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Spam, unwanted Advertisements and Ransom Demands | |
|---|
| Source: | Code function: | 0_2_00414D9F | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_004140F0 | |
| Source: | Code function: | 0_2_0041411C | |
| Source: | Code function: | 0_2_0040F4C7 | |
| Source: | Code function: | 0_2_0041603E | |
| Source: | Code function: | 0_2_00431227 | |
| Source: | Code function: | 0_2_0042E230 | |
| Source: | Code function: | 0_2_0042B2C5 | |
| Source: | Code function: | 0_2_0040F4C7 | |
| Source: | Code function: | 0_2_004304DE | |
| Source: | Code function: | 0_2_0044B490 | |
| Source: | Code function: | 0_2_0044549B | |
| Source: | Code function: | 0_2_0041F4A7 | |
| Source: | Code function: | 0_2_004175F5 | |
| Source: | Code function: | 0_2_00447658 | |
| Source: | Code function: | 0_2_0043165C | |
| Source: | Code function: | 0_2_0042D78B | |
| Source: | Code function: | 0_2_0043681C | |
| Source: | Code function: | 0_2_0040D9C0 | |
| Source: | Code function: | 0_2_004309DA | |
| Source: | Code function: | 0_2_00436A4B | |
| Source: | Code function: | 0_2_0041FB45 | |
| Source: | Code function: | 0_2_00437B60 | |
| Source: | Code function: | 0_2_00445BB9 | |
| Source: | Code function: | 0_2_0041FC88 | |
| Source: | Code function: | 0_2_00430DF2 | |
| Source: | Code function: | 0_2_0041EFB0 | |
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00410D45 | |
| Source: | Code function: | 0_2_0040A81F | |
| Source: | Code function: | 0_2_00413BA5 | |
| Source: | Code function: | 0_2_00413188 | |
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Command line argument: | 0_2_0040A1F6 | |
| Source: | Command line argument: | 0_2_0040A1F6 | |
| Source: | Command line argument: | 0_2_0040A1F6 | |
| Source: | Command line argument: | 0_2_0040A1F6 | |
| Source: | Command line argument: | 0_2_0040A1F6 | |
| Source: | Command line argument: | 0_2_0040A1F6 | |
| Source: | Command line argument: | 0_2_0040A1F6 | |
| Source: | Command line argument: | 0_2_0040A1F6 | |
| Source: | Command line argument: | 0_2_0040A1F6 | |
| Source: | Command line argument: | 0_2_0040A1F6 | |
| Source: | Command line argument: | 0_2_0040A1F6 | |
| Source: | Command line argument: | 0_2_0040A1F6 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00414F0D | |
| Source: | Code function: | 0_2_0044A609 | |
| Source: | Code function: | 0_2_0042C7B9 | |
| Source: | Code function: | 0_2_0044AE76 | |
| Source: | Code function: | 0_2_00404A5B | |
| Source: | Code function: | 0_2_00413188 | |
| Source: | Code function: | 0_2_00414F0D | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Code function: | 0_2_0040A6E0 | |
| Source: | Code function: | 0_2_00412EB6 | |
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_0-41302 | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_00408219 | |
| Source: | Code function: | 0_2_00407305 | |
| Source: | Code function: | 0_2_00407753 | |
| Source: | Code function: | 0_2_004147B5 | |
| Source: | Code function: | 0_2_004409E9 | |
| Source: | Code function: | 0_2_00405CAE | |
| Source: | Code function: | 0_2_00404D13 | |
| Source: | Code function: | 0_2_00407FFE | |
| Source: | Code function: | 0_2_0040513A | |
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_004320FC | |
| Source: | Code function: | 0_2_00414F0D | |
| Source: | Code function: | 0_2_00438EA2 | |
| Source: | Code function: | 0_2_0040CB8C | |
| Source: | Code function: | 0_2_004320FC | |
| Source: | Code function: | 0_2_0042C567 | |
| Source: | Code function: | 0_2_0042C6F9 | |
| Source: | Code function: | 0_2_0042C926 | |
| Source: | Code function: | 0_2_0041250F | |
| Source: | Code function: | 0_2_0042C3B7 | |
| Source: | Code function: | 0_2_004440C0 | |
| Source: | Code function: | 0_2_0044410B | |
| Source: | Code function: | 0_2_004441A6 | |
| Source: | Code function: | 0_2_00444233 | |
| Source: | Code function: | 0_2_0043D2BC | |
| Source: | Code function: | 0_2_00444483 | |
| Source: | Code function: | 0_2_004445AC | |
| Source: | Code function: | 0_2_004446B3 | |
| Source: | Code function: | 0_2_0040A7F3 | |
| Source: | Code function: | 0_2_00444780 | |
| Source: | Code function: | 0_2_00443E48 | |
| Source: | Code function: | 0_2_0043CE55 | |
| Source: | Code function: | 0_2_00413BEC | |
| Source: | Code function: | 0_2_00413D0A | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_00407EE0 | |
| Source: | Code function: | 0_2_00407FFE | |
| Source: | Code function: | 0_2_00407FFE | |
Remote Access Functionality | |
|---|
| Source: | Mutex created: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_00403B2B | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | 1 OS Credential Dumping | 1 System Time Discovery | Remote Services | 11 Archive Collected Data | 11 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 12 Command and Scripting Interpreter | 1 Windows Service | 1 Access Token Manipulation | 2 Obfuscated Files or Information | 2 Credentials In Files | 1 Account Discovery | Remote Desktop Protocol | 3 Clipboard Data | 2 Encrypted Channel | Exfiltration Over Bluetooth | 1 Defacement |
| Email Addresses | DNS Server | Domain Accounts | 2 Service Execution | Logon Script (Windows) | 1 Windows Service | 1 DLL Side-Loading | Security Account Manager | 1 System Service Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 Process Injection | 1 Virtualization/Sandbox Evasion | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | Input Capture | 1 Remote Access Software | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Access Token Manipulation | LSA Secrets | 23 System Information Discovery | SSH | Keylogging | 1 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Process Injection | Cached Domain Credentials | 21 Security Software Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 Virtualization/Sandbox Evasion | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 1 Process Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | HTML Smuggling | /etc/passwd and /etc/shadow | 1 Application Window Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
| IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | Dynamic API Resolution | Network Sniffing | 1 System Owner/User Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 81% | Virustotal | Browse | ||
| 84% | ReversingLabs | Win32.Trojan.Remcos | ||
| 100% | Avira | BDS/Backdoor.Gen | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 177.106.216.153 | unknown | Brazil | 53006 | ALGARTELECOMSABR | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1577171 |
| Start date and time: | 2024-12-18 08:20:11 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 19s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 17345063495d9ff9a239e91022aad8f2d11b89f02854c4b148235396ec7a0562f12ac23b56442.dat-decoded.exe |
| Detection: | MAL |
| Classification: | mal100.rans.troj.spyw.evad.winEXE@2/1@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
| Time | Type | Description |
|---|---|---|
| 02:21:36 | API Interceptor |
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ALGARTELECOMSABR | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
|
⊘No context
⊘No context
| Process: | C:\Users\user\Desktop\17345063495d9ff9a239e91022aad8f2d11b89f02854c4b148235396ec7a0562f12ac23b56442.dat-decoded.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2208 |
| Entropy (8bit): | 4.791675079005263 |
| Encrypted: | false |
| SSDEEP: | 24:7QFtUbmjl5RRARLXA/MeEDZARXTPApEDZAhXThAnEDZADaXT+AuEDZAG8XTohACD:URrR7tM0awkpVjZX7GYetqD |
| MD5: | 280CCCB00D2547AAA419CFEA9FB72853 |
| SHA1: | 2C73480F1F9CEC984A44FE95F037200FE3BA278C |
| SHA-256: | 1C43E320F5A8964174E32F5CEC883698E93B3D258D0A589EADC1929A42A0241F |
| SHA-512: | 084240ABB82CF638655E2746430DC17EBDECCA34E4E47DA82AD9AD66BE1DE29D580710AC9411C93D625BD679DF4FA9CEF3B2226667D0A96913DB0107F684B0F7 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.564812924484639 |
| TrID: |
|
| File name: | 17345063495d9ff9a239e91022aad8f2d11b89f02854c4b148235396ec7a0562f12ac23b56442.dat-decoded.exe |
| File size: | 439'808 bytes |
| MD5: | 0d323be01f1a4edfd1c8e9f2c344a374 |
| SHA1: | 08a5cd24b9898676c2b6f8a88b5d42027c05085a |
| SHA256: | c81c405cc7c101ef8dd7c32a457c69495663f46c6039c5dc38e7e8b485b9840f |
| SHA512: | e55cd4dc8c5e24db29f3f2557161af03fd3609474a019fe22285cac04b75878799cdd7ea4e63eafa5fbc75f4318b0d2824a5afd64d8de66c4c0584307dd878de |
| SSDEEP: | 6144:3+d2+U+8RRJorR7zu6tF9x46YGg83lgnbJHZFXUU01yC5wJ/3AO2HyXGcKcOxuf:3+d3UGddn4F83l0JjXUU0kXAHTceuf |
| TLSH: | 6E949E12B492C436C17212740E29FB7599BCBC2029354A7B73EA5E5BBE741C1B73A363 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X..Y9.@Y9.@Y9.@...@K9.@..,@.9.@..-@G9.@PA[@X9.@...@[9.@.g.A@9.@.g.Ac9.@.g.A{9.@PAL@N9.@Y9.@x8.@.g.A:9.@.g @X9.@.g.AX9.@RichY9. |
 | |
| Icon Hash: | 95694d05214c1b33 |
| Entrypoint: | 0x42c30d |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67249198 [Fri Nov 1 08:30:16 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 6e326715b064080305ea2c7299a1a146 |
| Instruction |
|---|
| call 00007F1DB88B772Eh |
| jmp 00007F1DB88B7113h |
| push ebp |
| mov ebp, esp |
| push esi |
| push dword ptr [ebp+08h] |
| mov esi, ecx |
| call 00007F1DB889458Bh |
| mov dword ptr [esi], 0044D608h |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| and dword ptr [ecx+04h], 00000000h |
| mov eax, ecx |
| and dword ptr [ecx+08h], 00000000h |
| mov dword ptr [ecx+04h], 0044D610h |
| mov dword ptr [ecx], 0044D608h |
| ret |
| push ebp |
| mov ebp, esp |
| push esi |
| push dword ptr [ebp+08h] |
| mov esi, ecx |
| call 00007F1DB8894558h |
| mov dword ptr [esi], 0044D624h |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| and dword ptr [ecx+04h], 00000000h |
| mov eax, ecx |
| and dword ptr [ecx+08h], 00000000h |
| mov dword ptr [ecx+04h], 0044D62Ch |
| mov dword ptr [ecx], 0044D624h |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 0Ch |
| lea ecx, dword ptr [ebp-0Ch] |
| call 00007F1DB88B722Ch |
| push 00461474h |
| lea eax, dword ptr [ebp-0Ch] |
| push eax |
| call 00007F1DB88B9AD0h |
| int3 |
| push ebp |
| mov ebp, esp |
| sub esp, 0Ch |
| lea ecx, dword ptr [ebp-0Ch] |
| call 00007F1DB88B7242h |
| push 004614ACh |
| lea eax, dword ptr [ebp-0Ch] |
| push eax |
| call 00007F1DB88B9AB3h |
| int3 |
| push ebp |
| mov ebp, esp |
| and dword ptr [00464CF4h], 00000000h |
| sub esp, 2Ch |
| push ebx |
| xor ebx, ebx |
| inc ebx |
| or dword ptr [00464008h], ebx |
| push 0000000Ah |
| call 00007F1DB88D549Ah |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x61e60 | 0xf0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x6c000 | 0x4b1c | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x71000 | 0x3230 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x605a0 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x60634 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x605d8 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x4d000 | 0x45c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x4b688 | 0x4b800 | e84ed944ba29734bdced1297da24b3fb | False | 0.5698112841473509 | data | 6.593960371445512 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x4d000 | 0x165ee | 0x16600 | 54cb677cc25721b8914fcde1c8be2a43 | False | 0.5063394727653632 | data | 5.883415511327707 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x64000 | 0x581c | 0xe00 | b9ca172088fe3345000a12ada6d53f56 | False | 0.22126116071428573 | DOS executable (block device driver @\273\) | 2.962265465577797 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x6a000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .gfids | 0x6b000 | 0x230 | 0x400 | 0747c61f2fa83c611aaeccc5824e2ea6 | False | 0.3291015625 | data | 2.434099416831738 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x6c000 | 0x4b1c | 0x4c00 | 29075bd2ef907706d6331c5f9ec41b79 | False | 0.2811472039473684 | data | 3.9849887232395136 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x71000 | 0x3230 | 0x3400 | a2f5aa2094350b2c70244655d85ef0b4 | False | 0.7514272836538461 | data | 6.607221331182835 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x6c18c | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.3421985815602837 |
| RT_ICON | 0x6c5f4 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.27704918032786885 |
| RT_ICON | 0x6cf7c | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.23686679174484052 |
| RT_ICON | 0x6e024 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.22977178423236513 |
| RT_RCDATA | 0x705cc | 0x50e | data | 1.008500772797527 | ||
| RT_GROUP_ICON | 0x70adc | 0x3e | data | English | United States | 0.8064516129032258 |
| DLL | Import |
|---|---|
| KERNEL32.dll | VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcAddress, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetCurrentProcess, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetCurrentProcessId, GetTickCount, GlobalUnlock, LocalAlloc, GetModuleHandleA, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, RemoveDirectoryW, FindResourceA, OpenProcess, lstrcatW, LockResource, LoadResource, LocalFree, GetFileSize, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindNextVolumeW, SetLastError, ExpandEnvironmentStringsA, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, VirtualProtect, Process32FirstW, Process32NextW, CreateToolhelp32Snapshot, GetLocaleInfoA, ExitProcess, CreateMutexA, GetModuleFileNameW, GetLongPathNameW, AllocConsole, GetLastError, FindNextFileA, FindFirstFileA, WaitForSingleObject, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, CreateFileW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, CreateDirectoryW, CreateProcessA, Sleep, PeekNamedPipe, CreatePipe, TerminateProcess, WriteFile, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, CloseHandle, SetEvent, CreateEventW, lstrcmpW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, GetModuleHandleW, WaitForSingleObjectEx, ResetEvent, SetEndOfFile |
| USER32.dll | SetWindowTextW, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, SetForegroundWindow, SetClipboardData, GetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, CloseClipboard, OpenClipboard, ShowWindow, CreatePopupMenu, TrackPopupMenu, DefWindowProcA, CreateWindowExA, AppendMenuA, MessageBoxW, IsWindowVisible, CloseWindow, GetWindowThreadProcessId, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, DrawIcon, GetSystemMetrics, GetIconInfo, SystemParametersInfoW, GetForegroundWindow, RegisterClassExA, GetCursorPos |
| GDI32.dll | CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, BitBlt |
| ADVAPI32.dll | RegEnumValueW, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegQueryValueExW, RegDeleteKeyA |
| SHELL32.dll | ShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW |
| SHLWAPI.dll | StrToIntA, PathFileExistsA, PathFileExistsW |
| WINMM.dll | PlaySoundW, mciSendStringA, mciSendStringW |
| WS2_32.dll | inet_addr, WSASetLastError, gethostbyname, gethostbyaddr, WSAGetLastError, recv, connect, socket, send, WSAStartup, closesocket, htons, htonl, getservbyname, inet_ntoa, ntohs, getservbyport |
| urlmon.dll | URLOpenBlockingStreamW, URLDownloadToFileW |
| gdiplus.dll | GdiplusStartup, GdipGetImageEncoders, GdipCloneImage, GdipAlloc, GdipDisposeImage, GdipFree, GdipGetImageEncodersSize, GdipSaveImageToStream, GdipLoadImageFromStream |
| WININET.dll | InternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T08:20:58.126704+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.5 | 49985 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:21:23.711095+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.5 | 49704 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:21:46.727434+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.5 | 49721 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:22:09.776660+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.5 | 49772 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:22:32.822940+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.5 | 49828 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:22:55.900507+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.5 | 49880 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:23:19.025988+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.5 | 49933 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:23:42.046781+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.5 | 49981 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:24:05.105282+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.5 | 49982 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:24:28.136984+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.5 | 49983 | 177.106.216.153 | 2404 | TCP |
| 2024-12-18T08:24:51.215452+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.5 | 49984 | 177.106.216.153 | 2404 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 18, 2024 08:21:01.698148966 CET | 49704 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:21:01.817976952 CET | 2404 | 49704 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:21:01.818080902 CET | 49704 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:21:01.825483084 CET | 49704 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:21:01.945147991 CET | 2404 | 49704 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:21:23.711025953 CET | 2404 | 49704 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:21:23.711095095 CET | 49704 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:21:23.711389065 CET | 49704 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:21:23.831449986 CET | 2404 | 49704 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:21:24.721554995 CET | 49721 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:21:24.841171026 CET | 2404 | 49721 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:21:24.841348886 CET | 49721 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:21:24.845735073 CET | 49721 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:21:24.965347052 CET | 2404 | 49721 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:21:46.727329016 CET | 2404 | 49721 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:21:46.727433920 CET | 49721 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:21:46.727685928 CET | 49721 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:21:46.847217083 CET | 2404 | 49721 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:21:47.738250017 CET | 49772 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:21:47.858520985 CET | 2404 | 49772 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:21:47.860770941 CET | 49772 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:21:47.864988089 CET | 49772 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:21:47.984536886 CET | 2404 | 49772 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:22:09.774827957 CET | 2404 | 49772 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:22:09.776659966 CET | 49772 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:22:09.776900053 CET | 49772 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:22:09.896622896 CET | 2404 | 49772 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:22:10.783915043 CET | 49828 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:22:10.903620958 CET | 2404 | 49828 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:22:10.904568911 CET | 49828 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:22:10.926903963 CET | 49828 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:22:11.046648026 CET | 2404 | 49828 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:22:32.822793961 CET | 2404 | 49828 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:22:32.822940111 CET | 49828 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:22:32.849463940 CET | 49828 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:22:32.969037056 CET | 2404 | 49828 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:22:33.862071991 CET | 49880 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:22:33.981765985 CET | 2404 | 49880 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:22:33.981862068 CET | 49880 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:22:33.987998962 CET | 49880 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:22:34.108047962 CET | 2404 | 49880 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:22:55.900423050 CET | 2404 | 49880 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:22:55.900506973 CET | 49880 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:22:56.013067007 CET | 49880 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:22:56.132941008 CET | 2404 | 49880 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:22:57.018671036 CET | 49933 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:22:57.138569117 CET | 2404 | 49933 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:22:57.138963938 CET | 49933 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:22:57.145113945 CET | 49933 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:22:57.264658928 CET | 2404 | 49933 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:23:19.025901079 CET | 2404 | 49933 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:23:19.025988102 CET | 49933 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:23:19.026253939 CET | 49933 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:23:19.145803928 CET | 2404 | 49933 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:23:20.034951925 CET | 49981 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:23:20.154900074 CET | 2404 | 49981 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:23:20.155157089 CET | 49981 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:23:20.159885883 CET | 49981 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:23:20.279442072 CET | 2404 | 49981 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:23:42.041941881 CET | 2404 | 49981 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:23:42.046781063 CET | 49981 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:23:42.048517942 CET | 49981 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:23:42.168473005 CET | 2404 | 49981 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:23:43.094161987 CET | 49982 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:23:43.213872910 CET | 2404 | 49982 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:23:43.213972092 CET | 49982 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:23:43.227739096 CET | 49982 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:23:43.347434044 CET | 2404 | 49982 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:24:05.105078936 CET | 2404 | 49982 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:24:05.105282068 CET | 49982 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:24:05.105480909 CET | 49982 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:24:05.225162029 CET | 2404 | 49982 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:24:06.112247944 CET | 49983 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:24:06.232348919 CET | 2404 | 49983 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:24:06.232558966 CET | 49983 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:24:06.237704039 CET | 49983 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:24:06.357394934 CET | 2404 | 49983 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:24:28.136881113 CET | 2404 | 49983 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:24:28.136984110 CET | 49983 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:24:28.137283087 CET | 49983 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:24:28.256802082 CET | 2404 | 49983 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:24:29.181585073 CET | 49984 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:24:29.301493883 CET | 2404 | 49984 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:24:29.305484056 CET | 49984 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:24:29.326742887 CET | 49984 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:24:29.446407080 CET | 2404 | 49984 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:24:51.215368986 CET | 2404 | 49984 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:24:51.215451956 CET | 49984 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:24:51.215812922 CET | 49984 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:24:51.335551023 CET | 2404 | 49984 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:24:52.222485065 CET | 49985 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:24:52.342211008 CET | 2404 | 49985 | 177.106.216.153 | 192.168.2.5 |
| Dec 18, 2024 08:24:52.342947960 CET | 49985 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:24:52.409313917 CET | 49985 | 2404 | 192.168.2.5 | 177.106.216.153 |
| Dec 18, 2024 08:24:52.528902054 CET | 2404 | 49985 | 177.106.216.153 | 192.168.2.5 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 02:21:00 |
| Start date: | 18/12/2024 |
| Path: | C:\Users\user\Desktop\17345063495d9ff9a239e91022aad8f2d11b89f02854c4b148235396ec7a0562f12ac23b56442.dat-decoded.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 439'808 bytes |
| MD5 hash: | 0D323BE01F1A4EDFD1C8E9F2C344A374 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
| Target ID: | 1 |
| Start time: | 02:21:00 |
| Start date: | 18/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 5.9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 14.6% |
| Total number of Nodes: | 1256 |
| Total number of Limit Nodes: | 18 |
Graph
Function 00414F0D Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 134libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A1F6 Relevance: 37.1, APIs: 6, Strings: 15, Instructions: 328threadsleepfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A6E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413D0A Relevance: 3.0, APIs: 2, Instructions: 41COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041EE41 Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040E94F Relevance: 42.8, APIs: 4, Strings: 20, Instructions: 789sleepnetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00415A62 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040172E Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401C6F Relevance: 18.1, APIs: 12, Instructions: 60synchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004490C0 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00415930 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 48windowstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004150F6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004159E2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401D8F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D222 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040CFAC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040880F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043BAD8 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401693 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043FC9E Relevance: 1.6, APIs: 1, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041ED69 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041EDDA Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043BA8A Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401704 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041EE5A Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040513A Relevance: 42.8, APIs: 10, Strings: 14, Instructions: 835filesleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00403B2B Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 275pipesleepfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407FFE Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00408219 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004147B5 Relevance: 13.6, APIs: 9, Instructions: 147fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D9C0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 388registrylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00444780 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407EE0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00447658 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407305 Relevance: 9.3, APIs: 6, Instructions: 316fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413188 Relevance: 9.0, APIs: 6, Instructions: 42serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00443E48 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004445AC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407753 Relevance: 7.7, APIs: 5, Instructions: 245fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00405CAE Relevance: 7.7, APIs: 5, Instructions: 210fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040CB8C Relevance: 7.7, APIs: 5, Instructions: 206memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004320FC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404A5B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157filenetworkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00444233 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004140F0 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041411C Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044410B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043D2BC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042C3B7 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00444483 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004446B3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A7F3 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042C6F9 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043681C Relevance: 1.5, Strings: 1, Instructions: 214COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041FB45 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042E230 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044B490 Relevance: .7, Instructions: 651COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00445BB9 Relevance: .6, Instructions: 637COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004175F5 Relevance: .6, Instructions: 585COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042B2C5 Relevance: .5, Instructions: 504COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041F4A7 Relevance: .4, Instructions: 411COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00431227 Relevance: .3, Instructions: 345COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041EFB0 Relevance: .3, Instructions: 342COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043165C Relevance: .3, Instructions: 341COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00430DF2 Relevance: .3, Instructions: 331COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004309DA Relevance: .3, Instructions: 323COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041603E Relevance: .3, Instructions: 281COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00436A4B Relevance: .2, Instructions: 214COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041FC88 Relevance: .2, Instructions: 195COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00411D59 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 330windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041372E Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00408AF8 Relevance: 35.2, APIs: 6, Strings: 14, Instructions: 237registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00408837 Relevance: 35.2, APIs: 6, Strings: 14, Instructions: 216registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040E7A3 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044159D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004144D6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00443436 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043B6A9 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00406066 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 329fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041324D Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 66serviceCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040330E Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043C4B0 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00410890 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043AD34 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414A94 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 212registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041110E Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404E28 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004132EA Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45serviceCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043DC10 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040BD5E Relevance: 10.6, APIs: 7, Instructions: 75COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70networkfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043C628 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407F6F Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004133B8 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043F0CC Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040C052 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004131E6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413351 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D2C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00438EE3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401F1F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004134F5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004414CA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004146B9 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00439BF1 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D496 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043E5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401F9F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D0C8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401B0F Relevance: 6.1, APIs: 4, Instructions: 128synchronizationthreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00408513 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004395DC Relevance: 6.1, APIs: 4, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043965B Relevance: 6.1, APIs: 4, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414A00 Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043CFB7 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041229E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D74E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00443CA7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040C9E0 Relevance: 5.1, APIs: 4, Instructions: 125COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|