Edit tour
Windows
Analysis Report
1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exe
Overview
General Information
| Sample name: | 1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exe |
| Analysis ID: | 1586000 |
| MD5: | bc99da46df7a1e46d7d7ae40107b08c1 |
| SHA1: | ed14378358a8dafd0d8b66120c6b3928be95408f |
| SHA256: | ba45d03e6fa3b7d8371ef76140419bf4ddfe1d19bf029829fe518080072d33db |
| Tags: | base64-decodedexeuser-abuse_ch |
| Infos: |   |
 | |
Detection
Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Deletes itself after installation
Installs a global keyboard hook
Machine Learning detection for sample
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exe (PID: 6896 cmdline: "C:\Users\ user\Deskt op\1736348 224ad77cf8 6e491faad2 7e4b5decf1 eb0bb26f16 b0527e5ef4 88389ba353 aa3db79582 .dat-decod ed.exe" MD5: BC99DA46DF7A1E46D7D7AE40107B08C1) 
wscript.exe (PID: 4864 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user~1 \AppData\L ocal\Temp\ ylmuurgkvu ccdvcinzxh vgwnuvrpi. vbs" MD5: FF00E0480075B095948000BDC66E81F0)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": ["municipioalcidiadechicamocha.ddnsgeek.com:1997:1"], "Assigned name": "07-01-25", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-XSWP6Y", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
| REMCOS_RAT_variants | unknown | unknown |
| |
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| Click to see the 15 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
| REMCOS_RAT_variants | unknown | unknown |
| |
| Click to see the 7 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: frack113, Nasreddine Bencherchali: | ||
| Source: | Author: Michael Haag: | ||
Stealing of Sensitive Information | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-08T16:00:23.416113+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49699 | 179.15.136.6 | 1997 | TCP |
| 2025-01-08T16:03:36.207542+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 52951 | 179.15.136.6 | 1997 | TCP |
| 2025-01-08T16:03:36.208506+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 52952 | 179.15.136.6 | 1997 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-08T16:00:25.100263+0100 | 2803304 | 3 | Unknown Traffic | 192.168.2.7 | 49700 | 178.237.33.50 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-08T16:00:22.604407+0100 | 2834936 | 1 | A Network Trojan was detected | 192.168.2.7 | 52233 | 1.1.1.1 | 53 | UDP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 0_2_0043294A | |
| Source: | Binary or memory string: | memstr_ad54eca0-2 | |
Exploits | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Privilege Escalation | |
|---|
| Source: | Code function: | 0_2_00406764 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0040B335 | |
| Source: | Code function: | 0_2_0041B43F | |
| Source: | Code function: | 0_2_0040B53A | |
| Source: | Code function: | 0_2_0044D5F9 | |
| Source: | Code function: | 0_2_004089A9 | |
| Source: | Code function: | 0_2_00406AC2 | |
| Source: | Code function: | 0_2_00407A8C | |
| Source: | Code function: | 0_2_00418C79 | |
| Source: | Code function: | 0_2_00408DA7 | |
| Source: | Code function: | 0_2_00406F06 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | Suricata IDS: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00426107 | |
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | Code function: | 0_2_004099E4 | |
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Code function: | 0_2_004159C6 | |
| Source: | Code function: | 0_2_004159C6 | |
| Source: | Code function: | 0_2_004159C6 | |
| Source: | Code function: | 0_2_00409B10 | |
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Spam, unwanted Advertisements and Ransom Demands | |
|---|
| Source: | Code function: | 0_2_0041BB87 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_0041ACD1 | |
| Source: | Code function: | 0_2_0041ACFD | |
| Source: | Code function: | 0_2_004158B9 | |
| Source: | Code function: | 0_2_004520E2 | |
| Source: | Code function: | 0_2_0041D081 | |
| Source: | Code function: | 0_2_0043D0A8 | |
| Source: | Code function: | 0_2_00437160 | |
| Source: | Code function: | 0_2_004361BA | |
| Source: | Code function: | 0_2_00426264 | |
| Source: | Code function: | 0_2_00431387 | |
| Source: | Code function: | 0_2_0043652C | |
| Source: | Code function: | 0_2_0041E5EF | |
| Source: | Code function: | 0_2_0044C749 | |
| Source: | Code function: | 0_2_004367D6 | |
| Source: | Code function: | 0_2_004267DB | |
| Source: | Code function: | 0_2_0043C9ED | |
| Source: | Code function: | 0_2_00432A59 | |
| Source: | Code function: | 0_2_00436A9D | |
| Source: | Code function: | 0_2_0043CC1C | |
| Source: | Code function: | 0_2_00436D58 | |
| Source: | Code function: | 0_2_00434D32 | |
| Source: | Code function: | 0_2_0043CE4B | |
| Source: | Code function: | 0_2_00440E30 | |
| Source: | Code function: | 0_2_00426E83 | |
| Source: | Code function: | 0_2_00412F45 | |
| Source: | Code function: | 0_2_00452F10 | |
| Source: | Code function: | 0_2_00426FBD | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00416AB7 | |
| Source: | Code function: | 0_2_0040E219 | |
| Source: | Code function: | 0_2_0041A64F | |
| Source: | Code function: | 0_2_00419BD4 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Command line argument: | 0_2_0040D767 | |
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0041BCF3 | |
| Source: | Code function: | 0_2_00434019 | |
| Source: | Code function: | 0_2_0045680E | |
| Source: | Code function: | 0_2_00455ED2 | |
| Source: | Code function: | 0_2_00406128 | |
| Source: | Code function: | 0_2_00419BD4 | |
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File deleted: | Jump to behavior | ||
| Source: | Code function: | 0_2_0041BCF3 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Code function: | 0_2_0040E54F | |
| Source: | Code function: | 0_2_004198D2 | |
| Source: | Window found: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040B335 | |
| Source: | Code function: | 0_2_0041B43F | |
| Source: | Code function: | 0_2_0040B53A | |
| Source: | Code function: | 0_2_0044D5F9 | |
| Source: | Code function: | 0_2_004089A9 | |
| Source: | Code function: | 0_2_00406AC2 | |
| Source: | Code function: | 0_2_00407A8C | |
| Source: | Code function: | 0_2_00418C79 | |
| Source: | Code function: | 0_2_00408DA7 | |
| Source: | Code function: | 0_2_00406F06 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-48440 | ||
| Source: | Code function: | 0_2_0043A66D | |
| Source: | Code function: | 0_2_0041BCF3 | |
| Source: | Code function: | 0_2_00442564 | |
| Source: | Code function: | 0_2_0044E93E | |
| Source: | Code function: | 0_2_00434178 | |
| Source: | Code function: | 0_2_0043A66D | |
| Source: | Code function: | 0_2_00433B54 | |
| Source: | Code function: | 0_2_00433CE7 | |
| Source: | Code function: | 0_2_00410F36 | |
| Source: | Code function: | 0_2_00418764 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00433E1A | |
| Source: | Code function: | 0_2_0040E679 | |
| Source: | Code function: | 0_2_004510CA | |
| Source: | Code function: | 0_2_004470BE | |
| Source: | Code function: | 0_2_004511F3 | |
| Source: | Code function: | 0_2_004512FA | |
| Source: | Code function: | 0_2_004513C7 | |
| Source: | Code function: | 0_2_004475A7 | |
| Source: | Code function: | 0_2_00450A8F | |
| Source: | Code function: | 0_2_00450D52 | |
| Source: | Code function: | 0_2_00450D07 | |
| Source: | Code function: | 0_2_00450DED | |
| Source: | Code function: | 0_2_00450E7A | |
| Source: | Code function: | 0_2_00404915 | |
| Source: | Code function: | 0_2_0041A7B2 | |
| Source: | Code function: | 0_2_0044801F | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_0040B21B | |
| Source: | Code function: | 0_2_0040B335 | |
| Source: | Code function: | 0_2_0040B335 | |
Remote Access Functionality | |
|---|
| Source: | Mutex created: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_00405042 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | 11 Scripting | Valid Accounts | 1 Native API | 11 Scripting | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | 1 OS Credential Dumping | 2 System Time Discovery | Remote Services | 11 Archive Collected Data | 12 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 12 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 Bypass User Account Control | 2 Obfuscated Files or Information | 211 Input Capture | 1 Account Discovery | Remote Desktop Protocol | 211 Input Capture | 2 Encrypted Channel | Exfiltration Over Bluetooth | 1 Defacement |
| Email Addresses | DNS Server | Domain Accounts | 2 Service Execution | 1 Windows Service | 1 Access Token Manipulation | 1 DLL Side-Loading | 2 Credentials In Files | 1 System Service Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 Windows Service | 1 Bypass User Account Control | NTDS | 3 File and Directory Discovery | Distributed Component Object Model | Input Capture | 1 Remote Access Software | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 22 Process Injection | 1 File Deletion | LSA Secrets | 23 System Information Discovery | SSH | Keylogging | 2 Non-Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Masquerading | Cached Domain Credentials | 21 Security Software Discovery | VNC | GUI Input Capture | 12 Application Layer Protocol | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Virtualization/Sandbox Evasion | DCSync | 1 Virtualization/Sandbox Evasion | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 Access Token Manipulation | Proc Filesystem | 2 Process Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 22 Process Injection | /etc/passwd and /etc/shadow | 1 Application Window Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
| IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | Dynamic API Resolution | Network Sniffing | 1 System Owner/User Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 74% | ReversingLabs | Win32.Backdoor.Remcos | ||
| 100% | Avira | BDS/Backdoor.Gen | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| geoplugin.net | 178.237.33.50 | true | false | high | |
| municipioalcidiadechicamocha.ddnsgeek.com | 179.15.136.6 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 179.15.136.6 | municipioalcidiadechicamocha.ddnsgeek.com | Colombia | 27831 | ColombiaMovilCO | true | |
| 178.237.33.50 | geoplugin.net | Netherlands | 8455 | ATOM86-ASATOM86NL | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1586000 |
| Start date and time: | 2025-01-08 15:59:26 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 56s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 15 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exe |
| Detection: | MAL |
| Classification: | mal100.rans.troj.spyw.expl.evad.winEXE@3/3@2/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
- Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: 1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exe
| Time | Type | Description |
|---|---|---|
| 11:25:42 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 179.15.136.6 | Get hash | malicious | Remcos | Browse | ||
| Get hash | malicious | Remcos | Browse | |||
| 178.237.33.50 | Get hash | malicious | Remcos | Browse |
| |
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| municipioalcidiadechicamocha.ddnsgeek.com | Get hash | malicious | Remcos | Browse |
| |
| Get hash | malicious | Remcos | Browse |
| ||
| geoplugin.net | Get hash | malicious | Remcos | Browse |
| |
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ATOM86-ASATOM86NL | Get hash | malicious | Remcos | Browse |
| |
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| ColombiaMovilCO | Get hash | malicious | Remcos | Browse |
| |
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
|
⊘No context
⊘No context
| Process: | C:\Users\user\Desktop\1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 144 |
| Entropy (8bit): | 3.3221258935547358 |
| Encrypted: | false |
| SSDEEP: | 3:rgls1MNtl0cl5JWRal2Jl+7R0DAlBG45klovDl6v:MlsaNEU5YcIeeDAlOWAv |
| MD5: | 37D839CFE9CB726AB19FE84650F4CD8D |
| SHA1: | F4EA12C2FC78E6F01D4CF69158BBEC967B6FCFE1 |
| SHA-256: | C3ADDEC0319D59DAF621AAB64DA288315D85DC85B4BB146C22E7E63AE181D4D2 |
| SHA-512: | CD9030DB1042E9B97110864259C9D291E7359960B20596DCF16259200F7885D92575FF74AE5C9E5D5F63386E780F1907C5706168D7154F2CFAB484256BFDD355 |
| Malicious: | true |
| Yara Hits: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 963 |
| Entropy (8bit): | 5.019506780280991 |
| Encrypted: | false |
| SSDEEP: | 12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzd:qlupdRNuKyGX85jvXhNlT3/7AcV9Wro |
| MD5: | 7459F6DA71CD5EAF9DBE2D20CA9434AC |
| SHA1: | 4F60E33E15277F7A632D8CD058EC7DF4728B40BC |
| SHA-256: | 364A445C3A222EE10A8816F78283BBD0503A5E5824B2A7F5DCD8E6DA9148AF6A |
| SHA-512: | 3A862711D78F6F97F07E01ACC0DCB54F595A23AACEA9F2BB9606382805E1E92C1ACE09E1446F312F3B6D4EE63435ABEF46F0C16F015BD505347A1BCF2E149841 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 800 |
| Entropy (8bit): | 3.595024561316478 |
| Encrypted: | false |
| SSDEEP: | 12:xQ4lA2++ugypjBQMPURXkXI4GB9umLMl71G4Q3DMkXI4GB9umLMl71G49Hz/0ait:7a2+SDxL7uaMldQTML7uaMld9Aait |
| MD5: | BAE614365C45307591889BF6A81F213D |
| SHA1: | 3440A4EE61735785DE8D096EB428939A3B6625DB |
| SHA-256: | 416F8C8ACA9B6D66C1F848C3D8D9698EA27EC25F6CC37BE1DE6B13918068DD76 |
| SHA-512: | 3F9E4A930CE1FCDFAA1D4931EAE2CFA8593BD44AF2CBB59892A465C0B5CB678163958196E777A593E1A7E5E1CE495CB19378043AC2FDB1E6EDB78E6185A64755 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.586613064948642 |
| TrID: |
|
| File name: | 1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exe |
| File size: | 493'056 bytes |
| MD5: | bc99da46df7a1e46d7d7ae40107b08c1 |
| SHA1: | ed14378358a8dafd0d8b66120c6b3928be95408f |
| SHA256: | ba45d03e6fa3b7d8371ef76140419bf4ddfe1d19bf029829fe518080072d33db |
| SHA512: | 7adcee93e31c5109eadf0062c9f4544d0569b85c843fccc242433ddd717bae8aaf4aec3831c1f6e8f5dc99127a80cea048ac4ed247e613fb70d95eea2635ffec |
| SSDEEP: | 12288:P9PgP3HAMwIGjY4vce6lnBthn5HSRVMf139F5woxr+IwtHwBtFhCsvZD5y+P32:N43HfwIGYMcn5PJrZQ+ |
| TLSH: | C8A4BE01B6D2C072D57625300D26E775DEBDBD212835897BB3DA1D67FE30180E63AAB2 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H. |
 | |
| Icon Hash: | 95694d05214c1b33 |
| Entrypoint: | 0x433b4a |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6752B172 [Fri Dec 6 08:10:26 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | e77512f955eaf60ccff45e02d69234de |
| Instruction |
|---|
| call 00007F5A9CDAD8A3h |
| jmp 00007F5A9CDAD1FFh |
| push ebp |
| mov ebp, esp |
| sub esp, 00000324h |
| push ebx |
| push 00000017h |
| call 00007F5A9CDCF6D9h |
| test eax, eax |
| je 00007F5A9CDAD387h |
| mov ecx, dword ptr [ebp+08h] |
| int 29h |
| push 00000003h |
| call 00007F5A9CDAD544h |
| mov dword ptr [esp], 000002CCh |
| lea eax, dword ptr [ebp-00000324h] |
| push 00000000h |
| push eax |
| call 00007F5A9CDAF85Bh |
| add esp, 0Ch |
| mov dword ptr [ebp-00000274h], eax |
| mov dword ptr [ebp-00000278h], ecx |
| mov dword ptr [ebp-0000027Ch], edx |
| mov dword ptr [ebp-00000280h], ebx |
| mov dword ptr [ebp-00000284h], esi |
| mov dword ptr [ebp-00000288h], edi |
| mov word ptr [ebp-0000025Ch], ss |
| mov word ptr [ebp-00000268h], cs |
| mov word ptr [ebp-0000028Ch], ds |
| mov word ptr [ebp-00000290h], es |
| mov word ptr [ebp-00000294h], fs |
| mov word ptr [ebp-00000298h], gs |
| pushfd |
| pop dword ptr [ebp-00000264h] |
| mov eax, dword ptr [ebp+04h] |
| mov dword ptr [ebp-0000026Ch], eax |
| lea eax, dword ptr [ebp+04h] |
| mov dword ptr [ebp-00000260h], eax |
| mov dword ptr [ebp-00000324h], 00010001h |
| mov eax, dword ptr [eax-04h] |
| push 00000050h |
| mov dword ptr [ebp-00000270h], eax |
| lea eax, dword ptr [ebp-58h] |
| push 00000000h |
| push eax |
| call 00007F5A9CDAF7D1h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6e020 | 0x104 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x76000 | 0x4b1c | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7b000 | 0x3b88 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x6c510 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x6c5e8 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x6c548 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x57000 | 0x4f4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x55f2d | 0x56000 | c9fb1fecb5f01a3c88e2bc00eccd57c4 | False | 0.5739377043968024 | data | 6.621523378040251 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x57000 | 0x18b00 | 0x18c00 | 0ba285a9a28b1dec254a7539ab18f8d0 | False | 0.4981455176767677 | OpenPGP Secret Key Version 6 | 5.75873851406894 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x70000 | 0x5d8c | 0xe00 | 06414e748130e7e668ba2ba172d63448 | False | 0.22684151785714285 | data | 3.093339598098017 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x76000 | 0x4b1c | 0x4c00 | 26a2d0507ed6f6949329a4b71733058f | False | 0.2811472039473684 | data | 3.986629153008196 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x7b000 | 0x3b88 | 0x3c00 | b875bbd60cc90da8a22f40034fe9606e | False | 0.7575520833333333 | data | 6.702930468027394 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x7618c | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.3421985815602837 |
| RT_ICON | 0x765f4 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.27704918032786885 |
| RT_ICON | 0x76f7c | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.23686679174484052 |
| RT_ICON | 0x78024 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.22977178423236513 |
| RT_RCDATA | 0x7a5cc | 0x50f | data | 1.0084942084942086 | ||
| RT_GROUP_ICON | 0x7aadc | 0x3e | data | English | United States | 0.8064516129032258 |
| DLL | Import |
|---|---|
| KERNEL32.dll | ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindFirstFileA, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, HeapReAlloc, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetModuleHandleExW, MoveFileExW, LoadLibraryExW, RaiseException, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, MultiByteToWideChar, DecodePointer, EncodePointer, TlsFree, TlsSetValue, GetFileSize, TerminateThread, GetLastError, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, CreateDirectoryW, GetLogicalDriveStringsA, DeleteFileW, FindNextFileA, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, GetProcAddress, CreateMutexA, GetCurrentProcess, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, FindNextVolumeW, TlsGetValue, TlsAlloc, SwitchToThread, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, InitializeCriticalSectionAndSpinCount, SetEndOfFile |
| USER32.dll | DefWindowProcA, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CreateWindowExA, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, TrackPopupMenu, CreatePopupMenu, AppendMenuA, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetIconInfo, GetSystemMetrics, CloseWindow, DrawIcon |
| GDI32.dll | BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, SelectObject |
| ADVAPI32.dll | LookupPrivilegeValueA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, RegDeleteKeyA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW |
| SHELL32.dll | ShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW |
| ole32.dll | CoInitializeEx, CoGetObject, CoUninitialize |
| SHLWAPI.dll | StrToIntA, PathFileExistsW, PathFileExistsA |
| WINMM.dll | mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInStart, waveInUnprepareHeader, waveInOpen, waveInAddBuffer, waveInPrepareHeader, PlaySoundW |
| WS2_32.dll | send, WSAStartup, socket, connect, WSAGetLastError, recv, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, gethostbyname |
| urlmon.dll | URLOpenBlockingStreamW, URLDownloadToFileW |
| gdiplus.dll | GdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCloneImage |
| WININET.dll | InternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-08T16:00:22.604407+0100 | 2834936 | ETPRO MALWARE Observed DNS Query to Abused DDNS (ddnsgeek .com) | 1 | 192.168.2.7 | 52233 | 1.1.1.1 | 53 | UDP |
| 2025-01-08T16:00:23.416113+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.7 | 49699 | 179.15.136.6 | 1997 | TCP |
| 2025-01-08T16:00:25.100263+0100 | 2803304 | ETPRO MALWARE Common Downloader Header Pattern HCa | 3 | 192.168.2.7 | 49700 | 178.237.33.50 | 80 | TCP |
| 2025-01-08T16:03:36.207542+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.7 | 52951 | 179.15.136.6 | 1997 | TCP |
| 2025-01-08T16:03:36.208506+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.7 | 52952 | 179.15.136.6 | 1997 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 8, 2025 16:00:22.730775118 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:00:22.735820055 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:00:22.735913992 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:00:22.741863012 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:00:22.746612072 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:00:23.365997076 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:00:23.416112900 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:00:23.517412901 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:00:23.524710894 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:00:23.530177116 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:00:23.550450087 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:00:23.555210114 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:00:23.555309057 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:00:23.560089111 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:00:23.860302925 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:00:23.902828932 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:00:23.907679081 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:00:24.000430107 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:00:24.041121006 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:00:24.466355085 CET | 49700 | 80 | 192.168.2.7 | 178.237.33.50 |
| Jan 8, 2025 16:00:24.471251011 CET | 80 | 49700 | 178.237.33.50 | 192.168.2.7 |
| Jan 8, 2025 16:00:24.471323967 CET | 49700 | 80 | 192.168.2.7 | 178.237.33.50 |
| Jan 8, 2025 16:00:24.471457958 CET | 49700 | 80 | 192.168.2.7 | 178.237.33.50 |
| Jan 8, 2025 16:00:24.476201057 CET | 80 | 49700 | 178.237.33.50 | 192.168.2.7 |
| Jan 8, 2025 16:00:25.100194931 CET | 80 | 49700 | 178.237.33.50 | 192.168.2.7 |
| Jan 8, 2025 16:00:25.100263119 CET | 49700 | 80 | 192.168.2.7 | 178.237.33.50 |
| Jan 8, 2025 16:00:25.121937990 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:00:25.126799107 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:00:26.099319935 CET | 80 | 49700 | 178.237.33.50 | 192.168.2.7 |
| Jan 8, 2025 16:00:26.099844933 CET | 49700 | 80 | 192.168.2.7 | 178.237.33.50 |
| Jan 8, 2025 16:00:37.054404020 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:00:37.055725098 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:00:37.060534000 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:01:06.486268044 CET | 52886 | 53 | 192.168.2.7 | 162.159.36.2 |
| Jan 8, 2025 16:01:06.491100073 CET | 53 | 52886 | 162.159.36.2 | 192.168.2.7 |
| Jan 8, 2025 16:01:06.491179943 CET | 52886 | 53 | 192.168.2.7 | 162.159.36.2 |
| Jan 8, 2025 16:01:06.496023893 CET | 53 | 52886 | 162.159.36.2 | 192.168.2.7 |
| Jan 8, 2025 16:01:06.939500093 CET | 52886 | 53 | 192.168.2.7 | 162.159.36.2 |
| Jan 8, 2025 16:01:06.946166039 CET | 53 | 52886 | 162.159.36.2 | 192.168.2.7 |
| Jan 8, 2025 16:01:06.946235895 CET | 52886 | 53 | 192.168.2.7 | 162.159.36.2 |
| Jan 8, 2025 16:01:07.052690983 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:01:07.058835030 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:01:07.063606977 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:01:37.081384897 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:01:37.083003044 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:01:37.087783098 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:02:07.109910011 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:02:07.111649036 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:02:07.116513968 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:02:14.432440042 CET | 49700 | 80 | 192.168.2.7 | 178.237.33.50 |
| Jan 8, 2025 16:02:14.807188988 CET | 49700 | 80 | 192.168.2.7 | 178.237.33.50 |
| Jan 8, 2025 16:02:15.442173958 CET | 49700 | 80 | 192.168.2.7 | 178.237.33.50 |
| Jan 8, 2025 16:02:16.697803974 CET | 49700 | 80 | 192.168.2.7 | 178.237.33.50 |
| Jan 8, 2025 16:02:19.197820902 CET | 49700 | 80 | 192.168.2.7 | 178.237.33.50 |
| Jan 8, 2025 16:02:24.010324001 CET | 49700 | 80 | 192.168.2.7 | 178.237.33.50 |
| Jan 8, 2025 16:02:33.697911978 CET | 49700 | 80 | 192.168.2.7 | 178.237.33.50 |
| Jan 8, 2025 16:02:37.078567028 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:02:37.081845999 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:02:37.088148117 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:07.120302916 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:07.121712923 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:07.126482964 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:35.416603088 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:35.416685104 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:35.416949034 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:35.421713114 CET | 52951 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:35.425458908 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:35.426585913 CET | 1997 | 52951 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:35.430299044 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:35.430414915 CET | 52951 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:35.430433035 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:35.434876919 CET | 52951 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:35.435173035 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:35.439640045 CET | 1997 | 52951 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:35.439973116 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.068888903 CET | 1997 | 52951 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.069554090 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.207479954 CET | 1997 | 52951 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.207541943 CET | 52951 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:36.208431005 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.208506107 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:36.213423014 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:36.213526011 CET | 52951 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:36.218271971 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.218352079 CET | 1997 | 52951 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.218374968 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:36.218404055 CET | 52951 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:36.223136902 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.223143101 CET | 1997 | 52951 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.223305941 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:36.228127003 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.516242027 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:36.521181107 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.521190882 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.521200895 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.521219015 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.521250010 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:36.521280050 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:36.521294117 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.521312952 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.521342039 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.521342993 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:36.521348953 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.521358967 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:36.521373987 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.521466017 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.526078939 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.526123047 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.526187897 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.526192904 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.526201963 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.526314974 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:36.526354074 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.232544899 CET | 52951 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:37.237415075 CET | 1997 | 52951 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.253350019 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.256542921 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:37.261346102 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.544680119 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.746592999 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:37.905993938 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:37.907597065 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:37.911010027 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.911020041 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.911030054 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.911035061 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.911050081 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.911062956 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.911067963 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.911082983 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.911113977 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.911195993 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.915683031 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.915694952 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.915750980 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.915755987 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.915765047 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.915771008 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.915889025 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:37.915893078 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.245251894 CET | 52951 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:38.250211000 CET | 1997 | 52951 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.428985119 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.557532072 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:38.701579094 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:38.702965021 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:38.706562042 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.706572056 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.706588030 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.706593990 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.706598043 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.706612110 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.706640959 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.706645966 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.706702948 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.706707954 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.711199999 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.711210012 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.711262941 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.711267948 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.711302042 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.711307049 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.711366892 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.711371899 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.711375952 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.711421967 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.711426973 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.711472988 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:38.711477041 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:39.039865017 CET | 1997 | 52951 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:39.040358067 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:39.040608883 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:39.040610075 CET | 52951 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:39.042006016 CET | 52952 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:39.046750069 CET | 1997 | 52952 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:39.261174917 CET | 52951 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:39.266057014 CET | 1997 | 52951 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:41.825377941 CET | 1997 | 49699 | 179.15.136.6 | 192.168.2.7 |
| Jan 8, 2025 16:03:42.000134945 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Jan 8, 2025 16:03:42.096364021 CET | 49699 | 1997 | 192.168.2.7 | 179.15.136.6 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 8, 2025 16:00:22.604407072 CET | 52233 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 8, 2025 16:00:22.726689100 CET | 53 | 52233 | 1.1.1.1 | 192.168.2.7 |
| Jan 8, 2025 16:00:24.453263044 CET | 59249 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 8, 2025 16:00:24.461883068 CET | 53 | 59249 | 1.1.1.1 | 192.168.2.7 |
| Jan 8, 2025 16:01:06.485686064 CET | 53 | 51759 | 162.159.36.2 | 192.168.2.7 |
| Jan 8, 2025 16:01:06.967228889 CET | 53 | 63696 | 1.1.1.1 | 192.168.2.7 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 8, 2025 16:00:22.604407072 CET | 192.168.2.7 | 1.1.1.1 | 0x298a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 8, 2025 16:00:24.453263044 CET | 192.168.2.7 | 1.1.1.1 | 0x134e | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 8, 2025 16:00:22.726689100 CET | 1.1.1.1 | 192.168.2.7 | 0x298a | No error (0) | 179.15.136.6 | A (IP address) | IN (0x0001) | false | ||
| Jan 8, 2025 16:00:24.461883068 CET | 1.1.1.1 | 192.168.2.7 | 0x134e | No error (0) | 178.237.33.50 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49700 | 178.237.33.50 | 80 | 6896 | C:\Users\user\Desktop\1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 8, 2025 16:00:24.471457958 CET | 71 | OUT | |
| Jan 8, 2025 16:00:25.100194931 CET | 1171 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 10:00:21 |
| Start date: | 08/01/2025 |
| Path: | C:\Users\user\Desktop\1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 493'056 bytes |
| MD5 hash: | BC99DA46DF7A1E46D7D7AE40107B08C1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 11:28:29 |
| Start date: | 08/01/2025 |
| Path: | C:\Windows\SysWOW64\wscript.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x700000 |
| File size: | 147'456 bytes |
| MD5 hash: | FF00E0480075B095948000BDC66E81F0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 5.1% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 19% |
| Total number of Nodes: | 1789 |
| Total number of Limit Nodes: | 69 |
Graph
Function 0041BCF3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041A7B2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00426107 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413FD4 Relevance: 53.3, APIs: 5, Strings: 25, Instructions: 813sleepnetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417FAF Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041A52B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041B59F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044B9CE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041AC62 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00446B0F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004177A2 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417815 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004045AA Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042611E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040262E Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004177C5 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00406F06 Relevance: 48.1, APIs: 10, Strings: 17, Instructions: 849filesleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00405042 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 280pipesleepfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00410F36 Relevance: 35.2, APIs: 7, Strings: 13, Instructions: 238threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041B43F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00452F10 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419BD4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418C79 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004511F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00450E7A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041ACD1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041ACFD Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004475A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00432A59 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004510CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004512FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00433CE7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043CE4B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00426E83 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00437160 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044E93E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044C749 Relevance: .6, Instructions: 637COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041E5EF Relevance: .6, Instructions: 606COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004267DB Relevance: .4, Instructions: 437COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00426264 Relevance: .4, Instructions: 377COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00431387 Relevance: .4, Instructions: 371COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041D081 Relevance: .3, Instructions: 276COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00436A9D Relevance: .3, Instructions: 254COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00436D58 Relevance: .2, Instructions: 244COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004367D6 Relevance: .2, Instructions: 240COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043D0A8 Relevance: .2, Instructions: 237COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043652C Relevance: .2, Instructions: 232COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043C9ED Relevance: .2, Instructions: 214COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00426FBD Relevance: .2, Instructions: 186COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041A1CB Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 180synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041B1CB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044E21E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041CAAE Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00444F4D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413E37 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419138 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044F3F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00454992 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00416E27 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 107filesynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00446DDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041B834 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041C97F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00452B3A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00444409 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00412C88 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041BEC0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00446169 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00447E4A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044F816 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00443F8B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044A0D3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040E6A3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043960C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419DFC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419C30 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419D32 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419D97 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041CA2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004425E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419F42 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044E14B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041B38D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044AA83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00441A91 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00442CE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00442D61 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00447220 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041B62A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041851C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004508EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004336FC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMONLIBRARYCODE
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004125EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044DDF7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004477A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|