Windows
Analysis Report
1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe
Overview
General Information
Sample name: | 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe |
Analysis ID: | 1559856 |
MD5: | 3cc6b6ef2d90a55b3a9cb4b2f9c1526c |
SHA1: | fbc78cbbc06ab9f435fd3ec2fc46cf3a8c433dcf |
SHA256: | eafb4332827f8e2eccc30716537cfb9fdc3112b369d519b1fdfd9c5b39b8f1ce |
Tags: | base64-decodedexeuser-abuse_ch |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe (PID: 5000 cmdline:
"C:\Users\ user\Deskt op\1732147 507ac10953 a908ae794c 5ee180add9 124a78c697 05135688e5 02bb56ce44 53da749198 .dat-decod ed.exe" MD5: 3CC6B6EF2D90A55B3A9CB4B2F9C1526C)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": ["remcos2025rem.duckdns.org:1213:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-8AGIM5", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
Click to see the 8 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
Click to see the 7 entries |
Stealing of Sensitive Information |
---|
Source: | Author: Joe Security: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-21T01:07:03.504324+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49704 | 186.169.34.190 | 1213 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-21T01:07:06.213772+0100 | 2803304 | 3 | Unknown Traffic | 192.168.2.5 | 49705 | 178.237.33.50 | 80 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_004338C8 |
Source: | Binary or memory string: | memstr_a7eec4ca-9 |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Privilege Escalation |
---|
Source: | Code function: | 0_2_00407538 |
Source: | Static PE information: |
Source: | Code function: | 0_2_0040928E | |
Source: | Code function: | 0_2_0041C322 | |
Source: | Code function: | 0_2_0040C388 | |
Source: | Code function: | 0_2_004096A0 | |
Source: | Code function: | 0_2_00408847 | |
Source: | Code function: | 0_2_00407877 | |
Source: | Code function: | 0_2_0044E8F9 | |
Source: | Code function: | 0_2_0040BB6B | |
Source: | Code function: | 0_2_00419B86 | |
Source: | Code function: | 0_2_0040BD72 |
Source: | Code function: | 0_2_00407CD2 |
Networking |
---|
Source: | Suricata IDS: |
Source: | URLs: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | Suricata IDS: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | Code function: | 0_2_0041B411 |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | Code function: | 0_2_0040A2F3 |
Source: | Windows user hook set: | Jump to behavior |
Source: | Code function: | 0_2_0040B749 |
Source: | Code function: | 0_2_004168FC |
Source: | Code function: | 0_2_0040B749 |
Source: | Code function: | 0_2_0040A41B |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Spam, unwanted Advertisements and Ransom Demands |
---|
Source: | Code function: | 0_2_0041CA73 |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Process Stats: |
Source: | Code function: | 0_2_0041330D | |
Source: | Code function: | 0_2_0041BBC6 | |
Source: | Code function: | 0_2_0041BB9A |
Source: | Code function: | 0_2_004167EF |
Source: | Code function: | 0_2_0043706A | |
Source: | Code function: | 0_2_00414005 | |
Source: | Code function: | 0_2_0043E11C | |
Source: | Code function: | 0_2_004541D9 | |
Source: | Code function: | 0_2_004381E8 | |
Source: | Code function: | 0_2_0041F18B | |
Source: | Code function: | 0_2_00446270 | |
Source: | Code function: | 0_2_0043E34B | |
Source: | Code function: | 0_2_004533AB | |
Source: | Code function: | 0_2_0042742E | |
Source: | Code function: | 0_2_00437566 | |
Source: | Code function: | 0_2_0043E5A8 | |
Source: | Code function: | 0_2_004387F0 | |
Source: | Code function: | 0_2_0043797E | |
Source: | Code function: | 0_2_004339D7 | |
Source: | Code function: | 0_2_0044DA49 | |
Source: | Code function: | 0_2_00427AD7 | |
Source: | Code function: | 0_2_0041DBF3 | |
Source: | Code function: | 0_2_00427C40 | |
Source: | Code function: | 0_2_00437DB3 | |
Source: | Code function: | 0_2_00435EEB | |
Source: | Code function: | 0_2_0043DEED | |
Source: | Code function: | 0_2_00426E9F |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Code function: | 0_2_0041798D |
Source: | Code function: | 0_2_0040F4AF |
Source: | Code function: | 0_2_0041B539 |
Source: | Code function: | 0_2_0041AADB |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 | |
Source: | Command line argument: | 0_2_0040EA00 |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_0041CBE1 |
Source: | Code function: | 0_2_00457199 | |
Source: | Code function: | 0_2_00457AC6 | |
Source: | Code function: | 0_2_00434EC9 |
Source: | Code function: | 0_2_00406EEB |
Source: | Code function: | 0_2_0041AADB |
Source: | Code function: | 0_2_0041CBE1 |
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Code function: | 0_2_0040F7E2 |
Source: | Code function: | 0_2_0041A7D9 |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Code function: | 0_2_0040928E | |
Source: | Code function: | 0_2_0041C322 | |
Source: | Code function: | 0_2_0040C388 | |
Source: | Code function: | 0_2_004096A0 | |
Source: | Code function: | 0_2_00408847 | |
Source: | Code function: | 0_2_00407877 | |
Source: | Code function: | 0_2_0044E8F9 | |
Source: | Code function: | 0_2_0040BB6B | |
Source: | Code function: | 0_2_00419B86 | |
Source: | Code function: | 0_2_0040BD72 |
Source: | Code function: | 0_2_00407CD2 |
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-48956 |
Source: | Code function: | 0_2_00434A8A |
Source: | Code function: | 0_2_0041CBE1 |
Source: | Code function: | 0_2_00443355 |
Source: | Code function: | 0_2_004120B2 |
Source: | Code function: | 0_2_0043503C | |
Source: | Code function: | 0_2_00434A8A | |
Source: | Code function: | 0_2_0043BB71 | |
Source: | Code function: | 0_2_00434BD8 |
Source: | Code function: | 0_2_00412132 |
Source: | Code function: | 0_2_00419662 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00434CB6 |
Source: | Code function: | 0_2_0040F90C | |
Source: | Code function: | 0_2_0045201B | |
Source: | Code function: | 0_2_004520B6 | |
Source: | Code function: | 0_2_00452143 | |
Source: | Code function: | 0_2_00452393 | |
Source: | Code function: | 0_2_00448484 | |
Source: | Code function: | 0_2_004524BC | |
Source: | Code function: | 0_2_004525C3 | |
Source: | Code function: | 0_2_00452690 | |
Source: | Code function: | 0_2_0044896D | |
Source: | Code function: | 0_2_00451D58 | |
Source: | Code function: | 0_2_00451FD0 |
Source: | Code function: | 0_2_00404F51 |
Source: | Code function: | 0_2_0041B69E |
Source: | Code function: | 0_2_00449210 |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_0040BA4D |
Source: | Code function: | 0_2_0040BB6B | |
Source: | Code function: | 0_2_0040BB6B |
Remote Access Functionality |
---|
Source: | Mutex created: | Jump to behavior |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_0040569A |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | 1 OS Credential Dumping | 2 System Time Discovery | Remote Services | 11 Archive Collected Data | 12 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
Credentials | Domains | Default Accounts | 12 Command and Scripting Interpreter | 1 Windows Service | 1 Bypass User Account Control | 2 Obfuscated Files or Information | 211 Input Capture | 1 Account Discovery | Remote Desktop Protocol | 211 Input Capture | 2 Encrypted Channel | Exfiltration Over Bluetooth | 1 Defacement |
Email Addresses | DNS Server | Domain Accounts | 2 Service Execution | Logon Script (Windows) | 1 Access Token Manipulation | 1 DLL Side-Loading | 2 Credentials In Files | 1 System Service Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 Windows Service | 1 Bypass User Account Control | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | Input Capture | 1 Remote Access Software | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 11 Process Injection | 1 Masquerading | LSA Secrets | 23 System Information Discovery | SSH | Keylogging | 2 Non-Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Virtualization/Sandbox Evasion | Cached Domain Credentials | 21 Security Software Discovery | VNC | GUI Input Capture | 22 Application Layer Protocol | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Access Token Manipulation | DCSync | 1 Virtualization/Sandbox Evasion | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 11 Process Injection | Proc Filesystem | 2 Process Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | HTML Smuggling | /etc/passwd and /etc/shadow | 1 Application Window Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | Dynamic API Resolution | Network Sniffing | 1 System Owner/User Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
87% | ReversingLabs | Win32.Backdoor.Remcos | ||
86% | Virustotal | Browse | ||
100% | Avira | BDS/Backdoor.Gen | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware | ||
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
remcos2025rem.duckdns.org | 186.169.34.190 | true | true |
| unknown |
geoplugin.net | 178.237.33.50 | true | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
186.169.34.190 | remcos2025rem.duckdns.org | Colombia | 3816 | COLOMBIATELECOMUNICACIONESSAESPCO | true | |
178.237.33.50 | geoplugin.net | Netherlands | 8455 | ATOM86-ASATOM86NL | false |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1559856 |
Start date and time: | 2024-11-21 01:06:09 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 6m 29s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe |
Detection: | MAL |
Classification: | mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
19:07:32 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
186.169.34.190 | Get hash | malicious | AsyncRAT, DcRat | Browse | ||
178.237.33.50 | Get hash | malicious | Remcos | Browse |
| |
Get hash | malicious | Cobalt Strike, Remcos, HTMLPhisher | Browse |
| ||
Get hash | malicious | Remcos, HTMLPhisher | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | GuLoader, Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
remcos2025rem.duckdns.org | Get hash | malicious | AsyncRAT, DcRat | Browse |
| |
geoplugin.net | Get hash | malicious | Remcos | Browse |
| |
Get hash | malicious | Cobalt Strike, Remcos, HTMLPhisher | Browse |
| ||
Get hash | malicious | Remcos, HTMLPhisher | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | GuLoader, Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
COLOMBIATELECOMUNICACIONESSAESPCO | Get hash | malicious | AsyncRAT, DcRat | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | AsyncRAT, DcRat | Browse |
| ||
ATOM86-ASATOM86NL | Get hash | malicious | Remcos | Browse |
| |
Get hash | malicious | Cobalt Strike, Remcos, HTMLPhisher | Browse |
| ||
Get hash | malicious | Remcos, HTMLPhisher | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | GuLoader, Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
|
Process: | C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 144 |
Entropy (8bit): | 3.349210161123417 |
Encrypted: | false |
SSDEEP: | 3:rhlKlf4OlclNef1ClDl5JWRal2Jl+7R0DAlBG45klovDl6v:6lfJlc2wl55YcIeeDAlOWAv |
MD5: | F77DFD7E6BFF8009C0A971EBCD0E964B |
SHA1: | 229C9625E4D0E1F208D861D4A21098FC2C99ADBD |
SHA-256: | F28810C683769855CA784B3705D6200842FE635869FE11CDDABC7245BAE5AB89 |
SHA-512: | 54CF062E1A3186C14869718DC32C9559575D9D0CCBAD0E466CB918F1A44B2589B68F892367B1DB14653C8DEE2C87AF8CB192D818227F49BFD5E5ADB7EDCCCE9A |
Malicious: | true |
Yara Hits: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 962 |
Entropy (8bit): | 5.01442467270497 |
Encrypted: | false |
SSDEEP: | 12:tkluQ+nd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluQydVauKyGX85jvXhNlT3/7AcV9Wro |
MD5: | 4A8FAD17775993221C3AD2D68BB4B306 |
SHA1: | DB42C3975A64E7B4CE2A93FF5AF91F2DF73C82BD |
SHA-256: | 893F1B254D4EC2484868976F1B62D5A064909EA08E46F95193DBE79DB435E604 |
SHA-512: | 63252CFDC2CC7A32F86D9CB5D27E1695A8C138EBFBF476741C017EB349F20BDC72FF5856E0044DB189BAABDB1C3819C29FFC33A054810BD0354726300063D52C |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.6004596667154685 |
TrID: |
|
File name: | 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe |
File size: | 494'592 bytes |
MD5: | 3cc6b6ef2d90a55b3a9cb4b2f9c1526c |
SHA1: | fbc78cbbc06ab9f435fd3ec2fc46cf3a8c433dcf |
SHA256: | eafb4332827f8e2eccc30716537cfb9fdc3112b369d519b1fdfd9c5b39b8f1ce |
SHA512: | f1143c6c4253b3c353cf5331f958c9f9b2a301097ccf8fd683a003ddc1258d91b44284202d2e72e46b817f544811ec7c9a883032f7a9f1e4fa5a370a2f1e794b |
SSDEEP: | 6144:u5zY+w1LqZBCxKedv//NEUn+N5hkf/0TE7RvIZ/jbsAORZzAXMcrJA4:u5k+Yqaxrh3Nln+N52fIA4jbsvZziA4 |
TLSH: | 0EB4AE01BAD2C072D57514300D3AF776EAB8BD201836497B73DA1D5BFE31190A72AAB7 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~...~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH.. |
Icon Hash: | 95694d05214c1b33 |
Entrypoint: | 0x434a80 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6710C0B1 [Thu Oct 17 07:45:53 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 1389569a3a39186f3eb453b501cfe688 |
Instruction |
---|
call 00007F2F4CB4E05Bh |
jmp 00007F2F4CB4DAA3h |
push ebp |
mov ebp, esp |
sub esp, 00000324h |
push ebx |
push esi |
push 00000017h |
call 00007F2F4CB702F3h |
test eax, eax |
je 00007F2F4CB4DC17h |
mov ecx, dword ptr [ebp+08h] |
int 29h |
xor esi, esi |
lea eax, dword ptr [ebp-00000324h] |
push 000002CCh |
push esi |
push eax |
mov dword ptr [00471D14h], esi |
call 00007F2F4CB50066h |
add esp, 0Ch |
mov dword ptr [ebp-00000274h], eax |
mov dword ptr [ebp-00000278h], ecx |
mov dword ptr [ebp-0000027Ch], edx |
mov dword ptr [ebp-00000280h], ebx |
mov dword ptr [ebp-00000284h], esi |
mov dword ptr [ebp-00000288h], edi |
mov word ptr [ebp-0000025Ch], ss |
mov word ptr [ebp-00000268h], cs |
mov word ptr [ebp-0000028Ch], ds |
mov word ptr [ebp-00000290h], es |
mov word ptr [ebp-00000294h], fs |
mov word ptr [ebp-00000298h], gs |
pushfd |
pop dword ptr [ebp-00000264h] |
mov eax, dword ptr [ebp+04h] |
mov dword ptr [ebp-0000026Ch], eax |
lea eax, dword ptr [ebp+04h] |
mov dword ptr [ebp-00000260h], eax |
mov dword ptr [ebp-00000324h], 00010001h |
mov eax, dword ptr [eax-04h] |
push 00000050h |
mov dword ptr [ebp-00000270h], eax |
lea eax, dword ptr [ebp-58h] |
push esi |
push eax |
call 00007F2F4CB4FFDDh |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6eeb8 | 0x104 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x79000 | 0x4ae4 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7e000 | 0x3bc8 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x6d350 | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x6d3e4 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x6d388 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x59000 | 0x500 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x571f5 | 0x57200 | 42490688bcf3aaa371282a7454b99e23 | False | 0.5716155173959828 | data | 6.625772280516175 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x59000 | 0x179dc | 0x17a00 | 8c19f58f5a4e5f2d5359d54234473252 | False | 0.5008370535714286 | data | 5.862025333737917 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x71000 | 0x5d54 | 0xe00 | 0eaccffe1cb836994ce5d3ccfb22d4f9 | False | 0.22126116071428573 | data | 3.0035180736120775 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0x77000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.gfids | 0x78000 | 0x230 | 0x400 | 9ca325bce9f8c0342c0381814603584a | False | 0.330078125 | data | 2.3999762503719224 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x79000 | 0x4ae4 | 0x4c00 | 09724eb8731eaf186abd444537b3ccca | False | 0.2783203125 | data | 3.979487702487559 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x7e000 | 0x3bc8 | 0x3c00 | 71caad037f5f2070293ebf9ebb49e4e2 | False | 0.764453125 | data | 6.724383647387111 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x7918c | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.3421985815602837 |
RT_ICON | 0x795f4 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.27704918032786885 |
RT_ICON | 0x79f7c | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.23686679174484052 |
RT_ICON | 0x7b024 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.22977178423236513 |
RT_RCDATA | 0x7d5cc | 0x4d8 | data | 1.0088709677419354 | ||
RT_GROUP_ICON | 0x7daa4 | 0x3e | data | English | United States | 0.8064516129032258 |
DLL | Import |
---|---|
KERNEL32.dll | FindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile |
USER32.dll | GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, DispatchMessageA, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, AppendMenuA, GetSystemMetrics, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetWindowThreadProcessId, MapVirtualKeyA, DrawIcon, GetIconInfo |
GDI32.dll | BitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC |
ADVAPI32.dll | CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA |
SHELL32.dll | ShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW |
ole32.dll | CoInitializeEx, CoUninitialize, CoGetObject |
SHLWAPI.dll | PathFileExistsW, PathFileExistsA, StrToIntA |
WINMM.dll | waveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader, waveInUnprepareHeader |
WS2_32.dll | gethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket |
urlmon.dll | URLOpenBlockingStreamW, URLDownloadToFileW |
gdiplus.dll | GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream |
WININET.dll | InternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-21T01:07:03.504324+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.5 | 49704 | 186.169.34.190 | 1213 | TCP |
2024-11-21T01:07:06.213772+0100 | 2803304 | ETPRO MALWARE Common Downloader Header Pattern HCa | 3 | 192.168.2.5 | 49705 | 178.237.33.50 | 80 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 21, 2024 01:07:02.031492949 CET | 49704 | 1213 | 192.168.2.5 | 186.169.34.190 |
Nov 21, 2024 01:07:02.151106119 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:07:02.151180029 CET | 49704 | 1213 | 192.168.2.5 | 186.169.34.190 |
Nov 21, 2024 01:07:02.157321930 CET | 49704 | 1213 | 192.168.2.5 | 186.169.34.190 |
Nov 21, 2024 01:07:02.276940107 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:07:03.453918934 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:07:03.504323959 CET | 49704 | 1213 | 192.168.2.5 | 186.169.34.190 |
Nov 21, 2024 01:07:03.698690891 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:07:03.713691950 CET | 49704 | 1213 | 192.168.2.5 | 186.169.34.190 |
Nov 21, 2024 01:07:03.833290100 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:07:03.833363056 CET | 49704 | 1213 | 192.168.2.5 | 186.169.34.190 |
Nov 21, 2024 01:07:03.952951908 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:07:04.256251097 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:07:04.258373976 CET | 49704 | 1213 | 192.168.2.5 | 186.169.34.190 |
Nov 21, 2024 01:07:04.378262997 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:07:04.457170963 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:07:04.504343033 CET | 49704 | 1213 | 192.168.2.5 | 186.169.34.190 |
Nov 21, 2024 01:07:04.755872965 CET | 49705 | 80 | 192.168.2.5 | 178.237.33.50 |
Nov 21, 2024 01:07:04.875504017 CET | 80 | 49705 | 178.237.33.50 | 192.168.2.5 |
Nov 21, 2024 01:07:04.875647068 CET | 49705 | 80 | 192.168.2.5 | 178.237.33.50 |
Nov 21, 2024 01:07:04.875797033 CET | 49705 | 80 | 192.168.2.5 | 178.237.33.50 |
Nov 21, 2024 01:07:04.995251894 CET | 80 | 49705 | 178.237.33.50 | 192.168.2.5 |
Nov 21, 2024 01:07:06.213676929 CET | 80 | 49705 | 178.237.33.50 | 192.168.2.5 |
Nov 21, 2024 01:07:06.213772058 CET | 49705 | 80 | 192.168.2.5 | 178.237.33.50 |
Nov 21, 2024 01:07:06.240336895 CET | 49704 | 1213 | 192.168.2.5 | 186.169.34.190 |
Nov 21, 2024 01:07:06.361443043 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:07:07.213330030 CET | 80 | 49705 | 178.237.33.50 | 192.168.2.5 |
Nov 21, 2024 01:07:07.213421106 CET | 49705 | 80 | 192.168.2.5 | 178.237.33.50 |
Nov 21, 2024 01:07:27.596441984 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:07:27.598490953 CET | 49704 | 1213 | 192.168.2.5 | 186.169.34.190 |
Nov 21, 2024 01:07:27.718019009 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:07:57.608752966 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:07:57.612258911 CET | 49704 | 1213 | 192.168.2.5 | 186.169.34.190 |
Nov 21, 2024 01:07:57.732027054 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:08:27.618530035 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:08:27.628767967 CET | 49704 | 1213 | 192.168.2.5 | 186.169.34.190 |
Nov 21, 2024 01:08:27.748388052 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:08:54.520206928 CET | 49705 | 80 | 192.168.2.5 | 178.237.33.50 |
Nov 21, 2024 01:08:54.832516909 CET | 49705 | 80 | 192.168.2.5 | 178.237.33.50 |
Nov 21, 2024 01:08:55.629388094 CET | 49705 | 80 | 192.168.2.5 | 178.237.33.50 |
Nov 21, 2024 01:08:56.832525015 CET | 49705 | 80 | 192.168.2.5 | 178.237.33.50 |
Nov 21, 2024 01:08:57.627985001 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:08:57.631968021 CET | 49704 | 1213 | 192.168.2.5 | 186.169.34.190 |
Nov 21, 2024 01:08:57.751578093 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:08:59.332520008 CET | 49705 | 80 | 192.168.2.5 | 178.237.33.50 |
Nov 21, 2024 01:09:04.223134995 CET | 49705 | 80 | 192.168.2.5 | 178.237.33.50 |
Nov 21, 2024 01:09:13.899424076 CET | 49705 | 80 | 192.168.2.5 | 178.237.33.50 |
Nov 21, 2024 01:09:27.643048048 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:09:27.644671917 CET | 49704 | 1213 | 192.168.2.5 | 186.169.34.190 |
Nov 21, 2024 01:09:27.764343023 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:09:57.653112888 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:09:57.654825926 CET | 49704 | 1213 | 192.168.2.5 | 186.169.34.190 |
Nov 21, 2024 01:09:57.774395943 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:10:27.675725937 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:10:27.677356005 CET | 49704 | 1213 | 192.168.2.5 | 186.169.34.190 |
Nov 21, 2024 01:10:27.797154903 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:10:57.686211109 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Nov 21, 2024 01:10:57.689920902 CET | 49704 | 1213 | 192.168.2.5 | 186.169.34.190 |
Nov 21, 2024 01:10:57.809727907 CET | 1213 | 49704 | 186.169.34.190 | 192.168.2.5 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 21, 2024 01:07:01.691200972 CET | 50455 | 53 | 192.168.2.5 | 1.1.1.1 |
Nov 21, 2024 01:07:02.028549910 CET | 53 | 50455 | 1.1.1.1 | 192.168.2.5 |
Nov 21, 2024 01:07:04.523593903 CET | 49374 | 53 | 192.168.2.5 | 1.1.1.1 |
Nov 21, 2024 01:07:04.752619982 CET | 53 | 49374 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Nov 21, 2024 01:07:01.691200972 CET | 192.168.2.5 | 1.1.1.1 | 0x4c9c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Nov 21, 2024 01:07:04.523593903 CET | 192.168.2.5 | 1.1.1.1 | 0x2164 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Nov 21, 2024 01:07:02.028549910 CET | 1.1.1.1 | 192.168.2.5 | 0x4c9c | No error (0) | 186.169.34.190 | A (IP address) | IN (0x0001) | false | ||
Nov 21, 2024 01:07:04.752619982 CET | 1.1.1.1 | 192.168.2.5 | 0x2164 | No error (0) | 178.237.33.50 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.5 | 49705 | 178.237.33.50 | 80 | 5000 | C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 21, 2024 01:07:04.875797033 CET | 71 | OUT | |
Nov 21, 2024 01:07:06.213676929 CET | 1170 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 19:07:00 |
Start date: | 20/11/2024 |
Path: | C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 494'592 bytes |
MD5 hash: | 3CC6B6EF2D90A55B3A9CB4B2F9C1526C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 4.2% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 21.3% |
Total number of Nodes: | 1396 |
Total number of Limit Nodes: | 65 |
Graph
Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040F7E2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00414F65 Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809sleepnetworkCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040A761 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 163sleepCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040482D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40networkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00414F24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044F45D Relevance: 4.5, APIs: 3, Instructions: 37COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00409E1F Relevance: 1.6, APIs: 1, Instructions: 63COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040569A Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 278pipesleepfileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00412132 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004168FC Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040F4AF Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 210processCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040A41B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112keyboardthreadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004167EF Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 97libraryloadershutdownCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00419B86 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 245fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406EEB Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00408847 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004541D9 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00434CB6 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0043E34B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044DA49 Relevance: .6, Instructions: 637COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041F18B Relevance: .6, Instructions: 598COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0042742E Relevance: .4, Instructions: 435COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00426E9F Relevance: .4, Instructions: 383COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00437DB3 Relevance: .3, Instructions: 345COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004381E8 Relevance: .3, Instructions: 341COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0043797E Relevance: .3, Instructions: 331COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00437566 Relevance: .3, Instructions: 323COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041DBF3 Relevance: .3, Instructions: 277COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0043E5A8 Relevance: .2, Instructions: 237COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0043DEED Relevance: .2, Instructions: 214COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00427C40 Relevance: .2, Instructions: 187COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004387F0 Relevance: .1, Instructions: 76COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040D45B Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040D0D1 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004124B0 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041B0D8 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401CE9 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040CE34 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 203fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00412AEF Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 482sleepfileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00414DC1 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041697B Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041C720 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041A045 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040186A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00413D48 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041384F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00412716 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00417627 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00413A90 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044F0F7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|