Edit tour
Windows
Analysis Report
17323410667d99229b9ce677d696d20502ddaab36e60066e7988d89e342c219aec646f9f24501.dat-decoded.exe
Overview
General Information
| Sample name: | 17323410667d99229b9ce677d696d20502ddaab36e60066e7988d89e342c219aec646f9f24501.dat-decoded.exe |
| Analysis ID: | 1561340 |
| MD5: | 0a5ef4ce865711c55bbd9e3ba61bcd4f |
| SHA1: | af23d89a402faaf366a0374a24dcd5844b386d62 |
| SHA256: | fc7beeae6b795561f216733b82611c8db1643cc883ded6fbca9c447c7a985358 |
| Tags: | base64-decodedexeuser-abuse_ch |
| Infos: |  |
 | |
Detection
Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Uses dynamic DNS services
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
17323410667d99229b9ce677d696d20502ddaab36e60066e7988d89e342c219aec646f9f24501.dat-decoded.exe (PID: 1092 cmdline: "C:\Users\ user\Deskt op\1732341 0667d99229 b9ce677d69 6d20502dda ab36e60066 e7988d89e3 42c219aec6 46f9f24501 .dat-decod ed.exe" MD5: 0A5EF4CE865711C55BBD9E3BA61BCD4F)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": ["championsleague24.duckdns.org:8090:1"], "Assigned name": "oct24", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "wsbdetrdfeyt45-ZLEH2L", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "ops.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "windir"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
| REMCOS_RAT_variants | unknown | unknown |
| |
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| Click to see the 7 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
| REMCOS_RAT_variants | unknown | unknown |
| |
| Click to see the 7 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T06:53:40.459003+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49988 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:54:09.689710+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49705 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:54:32.737082+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49712 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:54:55.841094+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49713 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:55:19.137812+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49746 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:55:42.233297+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49798 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:56:05.317024+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49850 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:56:28.661358+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49901 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:56:51.749345+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49953 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:57:14.756127+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49986 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:57:38.205432+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49987 | 180.19.180.122 | 8090 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 0_2_004338C8 | |
| Source: | Binary or memory string: | memstr_c69971b3-7 | |
Exploits | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Privilege Escalation | |
|---|
| Source: | Code function: | 0_2_00407538 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0040928E | |
| Source: | Code function: | 0_2_0041C322 | |
| Source: | Code function: | 0_2_0040C388 | |
| Source: | Code function: | 0_2_004096A0 | |
| Source: | Code function: | 0_2_00408847 | |
| Source: | Code function: | 0_2_00407877 | |
| Source: | Code function: | 0_2_0044E8F9 | |
| Source: | Code function: | 0_2_0040BB6B | |
| Source: | Code function: | 0_2_00419B86 | |
| Source: | Code function: | 0_2_0040BD72 | |
| Source: | Code function: | 0_2_00407CD2 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | DNS query: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00426D42 | |
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | Code function: | 0_2_0040A2F3 | |
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040B749 | |
| Source: | Code function: | 0_2_004168FC | |
| Source: | Code function: | 0_2_0040B749 | |
| Source: | Code function: | 0_2_0040A41B | |
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Spam, unwanted Advertisements and Ransom Demands | |
|---|
| Source: | Code function: | 0_2_0041CA73 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_0041330D | |
| Source: | Code function: | 0_2_0041BBC6 | |
| Source: | Code function: | 0_2_0041BB9A | |
| Source: | Code function: | 0_2_004167EF | |
| Source: | Code function: | 0_2_0043706A | |
| Source: | Code function: | 0_2_00414005 | |
| Source: | Code function: | 0_2_0043E11C | |
| Source: | Code function: | 0_2_004541D9 | |
| Source: | Code function: | 0_2_004381E8 | |
| Source: | Code function: | 0_2_0041F18B | |
| Source: | Code function: | 0_2_00446270 | |
| Source: | Code function: | 0_2_0043E34B | |
| Source: | Code function: | 0_2_004533AB | |
| Source: | Code function: | 0_2_0042742E | |
| Source: | Code function: | 0_2_00437566 | |
| Source: | Code function: | 0_2_0043E5A8 | |
| Source: | Code function: | 0_2_004387F0 | |
| Source: | Code function: | 0_2_0043797E | |
| Source: | Code function: | 0_2_004339D7 | |
| Source: | Code function: | 0_2_0044DA49 | |
| Source: | Code function: | 0_2_00427AD7 | |
| Source: | Code function: | 0_2_0041DBF3 | |
| Source: | Code function: | 0_2_00427C40 | |
| Source: | Code function: | 0_2_00437DB3 | |
| Source: | Code function: | 0_2_00435EEB | |
| Source: | Code function: | 0_2_0043DEED | |
| Source: | Code function: | 0_2_00426E9F | |
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_0041798D | |
| Source: | Code function: | 0_2_0040F4AF | |
| Source: | Code function: | 0_2_0041B539 | |
| Source: | Code function: | 0_2_0041AADB | |
| Source: | Mutant created: | ||
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Command line argument: | 0_2_0040EA00 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0041CBE1 | |
| Source: | Code function: | 0_2_00457199 | |
| Source: | Code function: | 0_2_00457AC6 | |
| Source: | Code function: | 0_2_00434EC9 | |
| Source: | Code function: | 0_2_00406EEB | |
| Source: | Code function: | 0_2_0041AADB | |
| Source: | Code function: | 0_2_0041CBE1 | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Code function: | 0_2_0040F7E2 | |
| Source: | Code function: | 0_2_0041A7D9 | |
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040928E | |
| Source: | Code function: | 0_2_0041C322 | |
| Source: | Code function: | 0_2_0040C388 | |
| Source: | Code function: | 0_2_004096A0 | |
| Source: | Code function: | 0_2_00408847 | |
| Source: | Code function: | 0_2_00407877 | |
| Source: | Code function: | 0_2_0044E8F9 | |
| Source: | Code function: | 0_2_0040BB6B | |
| Source: | Code function: | 0_2_00419B86 | |
| Source: | Code function: | 0_2_0040BD72 | |
| Source: | Code function: | 0_2_00407CD2 | |
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-48676 | ||
| Source: | Code function: | 0_2_00434A8A | |
| Source: | Code function: | 0_2_0041CBE1 | |
| Source: | Code function: | 0_2_00443355 | |
| Source: | Code function: | 0_2_004120B2 | |
| Source: | Code function: | 0_2_0043503C | |
| Source: | Code function: | 0_2_00434A8A | |
| Source: | Code function: | 0_2_0043BB71 | |
| Source: | Code function: | 0_2_00434BD8 | |
| Source: | Code function: | 0_2_00412132 | |
| Source: | Code function: | 0_2_00419662 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00434CB6 | |
| Source: | Code function: | 0_2_0045201B | |
| Source: | Code function: | 0_2_004520B6 | |
| Source: | Code function: | 0_2_00452143 | |
| Source: | Code function: | 0_2_00452393 | |
| Source: | Code function: | 0_2_00448484 | |
| Source: | Code function: | 0_2_004524BC | |
| Source: | Code function: | 0_2_004525C3 | |
| Source: | Code function: | 0_2_00452690 | |
| Source: | Code function: | 0_2_0044896D | |
| Source: | Code function: | 0_2_0040F90C | |
| Source: | Code function: | 0_2_00451D58 | |
| Source: | Code function: | 0_2_00451FD0 | |
| Source: | Code function: | 0_2_00404F51 | |
| Source: | Code function: | 0_2_0041B69E | |
| Source: | Code function: | 0_2_00449210 | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_0040BA4D | |
| Source: | Code function: | 0_2_0040BB6B | |
| Source: | Code function: | 0_2_0040BB6B | |
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_0040569A | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | 1 OS Credential Dumping | 2 System Time Discovery | Remote Services | 11 Archive Collected Data | 11 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 12 Command and Scripting Interpreter | 1 Windows Service | 1 Bypass User Account Control | 2 Obfuscated Files or Information | 211 Input Capture | 1 Account Discovery | Remote Desktop Protocol | 211 Input Capture | 2 Encrypted Channel | Exfiltration Over Bluetooth | 1 Defacement |
| Email Addresses | DNS Server | Domain Accounts | 2 Service Execution | Logon Script (Windows) | 1 Access Token Manipulation | 1 DLL Side-Loading | 2 Credentials In Files | 1 System Service Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 Windows Service | 1 Bypass User Account Control | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | Input Capture | 1 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 11 Process Injection | 1 Virtualization/Sandbox Evasion | LSA Secrets | 23 System Information Discovery | SSH | Keylogging | 21 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Access Token Manipulation | Cached Domain Credentials | 21 Security Software Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 11 Process Injection | DCSync | 1 Virtualization/Sandbox Evasion | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 2 Process Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | HTML Smuggling | /etc/passwd and /etc/shadow | 1 Application Window Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
| IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | Dynamic API Resolution | Network Sniffing | 1 System Owner/User Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 87% | ReversingLabs | Win32.Backdoor.Remcos | ||
| 100% | Avira | BDS/Backdoor.Gen | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| championsleague24.duckdns.org | 180.19.180.122 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 180.19.180.122 | championsleague24.duckdns.org | Japan | 4713 | OCNNTTCommunicationsCorporationJP | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1561340 |
| Start date and time: | 2024-11-23 06:52:17 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 58s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 17323410667d99229b9ce677d696d20502ddaab36e60066e7988d89e342c219aec646f9f24501.dat-decoded.exe |
| Detection: | MAL |
| Classification: | mal100.rans.troj.spyw.expl.evad.winEXE@1/1@5/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: 17323410667d99229b9ce677d696d20502ddaab36e60066e7988d89e342c219aec646f9f24501.dat-decoded.exe
| Time | Type | Description |
|---|---|---|
| 00:54:17 | API Interceptor |
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| OCNNTTCommunicationsCorporationJP | Get hash | malicious | Mirai, Moobot | Browse |
| |
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Mirai, Moobot | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Mirai, Moobot | Browse |
| ||
| Get hash | malicious | Mirai, Moobot | Browse |
| ||
| Get hash | malicious | Mirai, Moobot | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
|
⊘No context
⊘No context
| Process: | C:\Users\user\Desktop\17323410667d99229b9ce677d696d20502ddaab36e60066e7988d89e342c219aec646f9f24501.dat-decoded.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 224 |
| Entropy (8bit): | 7.0593688728538595 |
| Encrypted: | false |
| SSDEEP: | 6:6YvaYCYpjmnQ+C7l4xRSUEH3JINZn7ExFnvQP:6YSYCYpKEIRSTHZIH4kP |
| MD5: | B455A4B18DC00A6CF7F372A26C7570B4 |
| SHA1: | 2EE63CBC5E614FAAB35C4ADD10BA4A353745B85E |
| SHA-256: | E1A4443E4A10C07D4BAE333089615E13CCEC44E9FE756D746AFF7D8E4FBA59CE |
| SHA-512: | CB5B8DA61448666EA29971D5CEEF2BAF9C49D1156B4F2A6E554B3D84443D54F986285B8A03481EE2ACE42074BC875BBD7E0EFF917024A5FAB988A58E348D37A1 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.600536037690552 |
| TrID: |
|
| File name: | 17323410667d99229b9ce677d696d20502ddaab36e60066e7988d89e342c219aec646f9f24501.dat-decoded.exe |
| File size: | 494'592 bytes |
| MD5: | 0a5ef4ce865711c55bbd9e3ba61bcd4f |
| SHA1: | af23d89a402faaf366a0374a24dcd5844b386d62 |
| SHA256: | fc7beeae6b795561f216733b82611c8db1643cc883ded6fbca9c447c7a985358 |
| SHA512: | f79a23f44518c1fb363264fa5bde787ba44d80bff1af7464f2f515ef9b45aa4774f13ae4dc5440fa15918db3c9224183a1b12d2731059dec1f2b85640f0f8030 |
| SSDEEP: | 12288:W5k+Yqaxrh3Nln+N52fIA4jbsvZzFVA4:gY9xrh3NDfIA4jOZx |
| TLSH: | B3B49E01BAD2C072D97514300D3AF776EAB8BD201835497B73DA1D5BFE31190A72AAB7 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~...~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH.. |
 | |
| Icon Hash: | 95694d05214c1b33 |
| Entrypoint: | 0x434a80 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6710C0B1 [Thu Oct 17 07:45:53 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 1389569a3a39186f3eb453b501cfe688 |
| Instruction |
|---|
| call 00007FC2587ECB6Bh |
| jmp 00007FC2587EC5B3h |
| push ebp |
| mov ebp, esp |
| sub esp, 00000324h |
| push ebx |
| push esi |
| push 00000017h |
| call 00007FC25880EE03h |
| test eax, eax |
| je 00007FC2587EC727h |
| mov ecx, dword ptr [ebp+08h] |
| int 29h |
| xor esi, esi |
| lea eax, dword ptr [ebp-00000324h] |
| push 000002CCh |
| push esi |
| push eax |
| mov dword ptr [00471D14h], esi |
| call 00007FC2587EEB76h |
| add esp, 0Ch |
| mov dword ptr [ebp-00000274h], eax |
| mov dword ptr [ebp-00000278h], ecx |
| mov dword ptr [ebp-0000027Ch], edx |
| mov dword ptr [ebp-00000280h], ebx |
| mov dword ptr [ebp-00000284h], esi |
| mov dword ptr [ebp-00000288h], edi |
| mov word ptr [ebp-0000025Ch], ss |
| mov word ptr [ebp-00000268h], cs |
| mov word ptr [ebp-0000028Ch], ds |
| mov word ptr [ebp-00000290h], es |
| mov word ptr [ebp-00000294h], fs |
| mov word ptr [ebp-00000298h], gs |
| pushfd |
| pop dword ptr [ebp-00000264h] |
| mov eax, dword ptr [ebp+04h] |
| mov dword ptr [ebp-0000026Ch], eax |
| lea eax, dword ptr [ebp+04h] |
| mov dword ptr [ebp-00000260h], eax |
| mov dword ptr [ebp-00000324h], 00010001h |
| mov eax, dword ptr [eax-04h] |
| push 00000050h |
| mov dword ptr [ebp-00000270h], eax |
| lea eax, dword ptr [ebp-58h] |
| push esi |
| push eax |
| call 00007FC2587EEAEDh |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6eeb8 | 0x104 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x79000 | 0x4b34 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7e000 | 0x3bc8 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x6d350 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x6d3e4 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x6d388 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x59000 | 0x500 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x571f5 | 0x57200 | 42490688bcf3aaa371282a7454b99e23 | False | 0.5716155173959828 | data | 6.625772280516175 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x59000 | 0x179dc | 0x17a00 | 8c19f58f5a4e5f2d5359d54234473252 | False | 0.5008370535714286 | data | 5.862025333737917 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x71000 | 0x5d54 | 0xe00 | 0eaccffe1cb836994ce5d3ccfb22d4f9 | False | 0.22126116071428573 | data | 3.0035180736120775 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x77000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .gfids | 0x78000 | 0x230 | 0x400 | 9ca325bce9f8c0342c0381814603584a | False | 0.330078125 | data | 2.3999762503719224 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x79000 | 0x4b34 | 0x4c00 | 678782decc7c5d547ea16a83039e656d | False | 0.2824835526315789 | data | 3.986253692684117 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x7e000 | 0x3bc8 | 0x3c00 | 71caad037f5f2070293ebf9ebb49e4e2 | False | 0.764453125 | data | 6.724383647387111 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x7918c | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.3421985815602837 |
| RT_ICON | 0x795f4 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.27704918032786885 |
| RT_ICON | 0x79f7c | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.23686679174484052 |
| RT_ICON | 0x7b024 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.22977178423236513 |
| RT_RCDATA | 0x7d5cc | 0x527 | data | 1.0083396512509477 | ||
| RT_GROUP_ICON | 0x7daf4 | 0x3e | data | English | United States | 0.8064516129032258 |
| DLL | Import |
|---|---|
| KERNEL32.dll | FindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile |
| USER32.dll | GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, DispatchMessageA, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, AppendMenuA, GetSystemMetrics, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetWindowThreadProcessId, MapVirtualKeyA, DrawIcon, GetIconInfo |
| GDI32.dll | BitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC |
| ADVAPI32.dll | CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA |
| SHELL32.dll | ShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW |
| ole32.dll | CoInitializeEx, CoUninitialize, CoGetObject |
| SHLWAPI.dll | PathFileExistsW, PathFileExistsA, StrToIntA |
| WINMM.dll | waveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader, waveInUnprepareHeader |
| WS2_32.dll | gethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket |
| urlmon.dll | URLOpenBlockingStreamW, URLDownloadToFileW |
| gdiplus.dll | GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream |
| WININET.dll | InternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T06:53:40.459003+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.8 | 49988 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:54:09.689710+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.8 | 49705 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:54:32.737082+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.8 | 49712 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:54:55.841094+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.8 | 49713 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:55:19.137812+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.8 | 49746 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:55:42.233297+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.8 | 49798 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:56:05.317024+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.8 | 49850 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:56:28.661358+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.8 | 49901 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:56:51.749345+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.8 | 49953 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:57:14.756127+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.8 | 49986 | 180.19.180.122 | 8090 | TCP |
| 2024-11-23T06:57:38.205432+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.8 | 49987 | 180.19.180.122 | 8090 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 06:53:47.611891985 CET | 49705 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:53:47.731446981 CET | 8090 | 49705 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:53:47.731611013 CET | 49705 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:53:47.805025101 CET | 49705 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:53:47.924745083 CET | 8090 | 49705 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:54:09.689657927 CET | 8090 | 49705 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:54:09.689709902 CET | 49705 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:54:09.689780951 CET | 49705 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:54:09.809319973 CET | 8090 | 49705 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:54:10.694890976 CET | 49712 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:54:10.814426899 CET | 8090 | 49712 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:54:10.816848993 CET | 49712 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:54:10.820549011 CET | 49712 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:54:10.939976931 CET | 8090 | 49712 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:54:32.736952066 CET | 8090 | 49712 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:54:32.737082005 CET | 49712 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:54:32.737267971 CET | 49712 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:54:32.856674910 CET | 8090 | 49712 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:54:33.743586063 CET | 49713 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:54:33.863276958 CET | 8090 | 49713 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:54:33.863358974 CET | 49713 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:54:33.867383003 CET | 49713 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:54:33.986983061 CET | 8090 | 49713 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:54:55.840981007 CET | 8090 | 49713 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:54:55.841094017 CET | 49713 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:54:55.841136932 CET | 49713 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:54:55.960645914 CET | 8090 | 49713 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:54:57.059123993 CET | 49746 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:54:57.178944111 CET | 8090 | 49746 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:54:57.179075956 CET | 49746 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:54:57.182538986 CET | 49746 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:54:57.302062988 CET | 8090 | 49746 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:55:19.137734890 CET | 8090 | 49746 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:55:19.137811899 CET | 49746 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:55:19.137939930 CET | 49746 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:55:19.257446051 CET | 8090 | 49746 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:55:20.147798061 CET | 49798 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:55:20.267304897 CET | 8090 | 49798 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:55:20.267395973 CET | 49798 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:55:20.270867109 CET | 49798 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:55:20.390320063 CET | 8090 | 49798 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:55:42.233141899 CET | 8090 | 49798 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:55:42.233297110 CET | 49798 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:55:42.233344078 CET | 49798 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:55:42.352823973 CET | 8090 | 49798 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:55:43.241893053 CET | 49850 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:55:43.361392975 CET | 8090 | 49850 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:55:43.361547947 CET | 49850 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:55:43.364968061 CET | 49850 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:55:43.484672070 CET | 8090 | 49850 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:56:05.316911936 CET | 8090 | 49850 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:56:05.317023993 CET | 49850 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:56:05.317079067 CET | 49850 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:56:05.436520100 CET | 8090 | 49850 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:56:06.648118973 CET | 49901 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:56:06.767576933 CET | 8090 | 49901 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:56:06.768054962 CET | 49901 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:56:06.771433115 CET | 49901 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:56:06.890882015 CET | 8090 | 49901 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:56:28.661303043 CET | 8090 | 49901 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:56:28.661358118 CET | 49901 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:56:28.661397934 CET | 49901 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:56:28.780893087 CET | 8090 | 49901 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:56:29.663736105 CET | 49953 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:56:29.783555984 CET | 8090 | 49953 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:56:29.783646107 CET | 49953 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:56:29.788315058 CET | 49953 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:56:29.907793999 CET | 8090 | 49953 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:56:51.749017000 CET | 8090 | 49953 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:56:51.749345064 CET | 49953 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:56:51.749450922 CET | 49953 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:56:51.868896008 CET | 8090 | 49953 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:56:52.761451960 CET | 49986 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:56:52.880951881 CET | 8090 | 49986 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:56:52.881277084 CET | 49986 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:56:52.884717941 CET | 49986 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:56:53.004169941 CET | 8090 | 49986 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:57:14.756064892 CET | 8090 | 49986 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:57:14.756127119 CET | 49986 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:57:14.756207943 CET | 49986 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:57:14.875648975 CET | 8090 | 49986 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:57:16.130889893 CET | 49987 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:57:16.250533104 CET | 8090 | 49987 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:57:16.250643969 CET | 49987 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:57:16.319035053 CET | 49987 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:57:16.438591003 CET | 8090 | 49987 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:57:38.203145027 CET | 8090 | 49987 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:57:38.205431938 CET | 49987 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:57:38.211309910 CET | 49987 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:57:38.330832005 CET | 8090 | 49987 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:57:39.226485014 CET | 49988 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:57:39.346025944 CET | 8090 | 49988 | 180.19.180.122 | 192.168.2.8 |
| Nov 23, 2024 06:57:39.346108913 CET | 49988 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:57:39.349988937 CET | 49988 | 8090 | 192.168.2.8 | 180.19.180.122 |
| Nov 23, 2024 06:57:39.469451904 CET | 8090 | 49988 | 180.19.180.122 | 192.168.2.8 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 06:53:45.869653940 CET | 51213 | 53 | 192.168.2.8 | 1.1.1.1 |
| Nov 23, 2024 06:53:46.865681887 CET | 51213 | 53 | 192.168.2.8 | 1.1.1.1 |
| Nov 23, 2024 06:53:47.591306925 CET | 53 | 51213 | 1.1.1.1 | 192.168.2.8 |
| Nov 23, 2024 06:53:47.591356993 CET | 53 | 51213 | 1.1.1.1 | 192.168.2.8 |
| Nov 23, 2024 06:54:56.850348949 CET | 56569 | 53 | 192.168.2.8 | 1.1.1.1 |
| Nov 23, 2024 06:54:57.058058023 CET | 53 | 56569 | 1.1.1.1 | 192.168.2.8 |
| Nov 23, 2024 06:56:06.319789886 CET | 51534 | 53 | 192.168.2.8 | 1.1.1.1 |
| Nov 23, 2024 06:56:06.643135071 CET | 53 | 51534 | 1.1.1.1 | 192.168.2.8 |
| Nov 23, 2024 06:57:15.788054943 CET | 54874 | 53 | 192.168.2.8 | 1.1.1.1 |
| Nov 23, 2024 06:57:16.117265940 CET | 53 | 54874 | 1.1.1.1 | 192.168.2.8 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 06:53:45.869653940 CET | 192.168.2.8 | 1.1.1.1 | 0x5c42 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 23, 2024 06:53:46.865681887 CET | 192.168.2.8 | 1.1.1.1 | 0x5c42 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 23, 2024 06:54:56.850348949 CET | 192.168.2.8 | 1.1.1.1 | 0x286e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 23, 2024 06:56:06.319789886 CET | 192.168.2.8 | 1.1.1.1 | 0xf0c0 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 23, 2024 06:57:15.788054943 CET | 192.168.2.8 | 1.1.1.1 | 0x9998 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 06:53:47.591306925 CET | 1.1.1.1 | 192.168.2.8 | 0x5c42 | No error (0) | 180.19.180.122 | A (IP address) | IN (0x0001) | false | ||
| Nov 23, 2024 06:53:47.591356993 CET | 1.1.1.1 | 192.168.2.8 | 0x5c42 | No error (0) | 180.19.180.122 | A (IP address) | IN (0x0001) | false | ||
| Nov 23, 2024 06:54:57.058058023 CET | 1.1.1.1 | 192.168.2.8 | 0x286e | No error (0) | 180.19.180.122 | A (IP address) | IN (0x0001) | false | ||
| Nov 23, 2024 06:56:06.643135071 CET | 1.1.1.1 | 192.168.2.8 | 0xf0c0 | No error (0) | 180.19.180.122 | A (IP address) | IN (0x0001) | false | ||
| Nov 23, 2024 06:57:16.117265940 CET | 1.1.1.1 | 192.168.2.8 | 0x9998 | No error (0) | 180.19.180.122 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 00:53:44 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\17323410667d99229b9ce677d696d20502ddaab36e60066e7988d89e342c219aec646f9f24501.dat-decoded.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 494'592 bytes |
| MD5 hash: | 0A5EF4CE865711C55BBD9E3BA61BCD4F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 3.4% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 24.1% |
| Total number of Nodes: | 1173 |
| Total number of Limit Nodes: | 50 |
Graph
Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A2F3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040F7E2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414F65 Relevance: 42.8, APIs: 5, Strings: 19, Instructions: 809sleepnetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A761 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 163sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040569A Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 278pipesleepfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00412132 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004168FC Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040F4AF Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 210processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A41B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112keyboardthreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004167EF Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 97libraryloadershutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419B86 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 245fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00406EEB Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00408847 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004541D9 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00434CB6 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043E34B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044DA49 Relevance: .6, Instructions: 637COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041F18B Relevance: .6, Instructions: 598COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042742E Relevance: .4, Instructions: 435COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00426E9F Relevance: .4, Instructions: 383COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00437DB3 Relevance: .3, Instructions: 345COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004381E8 Relevance: .3, Instructions: 341COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043797E Relevance: .3, Instructions: 331COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00437566 Relevance: .3, Instructions: 323COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041DBF3 Relevance: .3, Instructions: 277COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043E5A8 Relevance: .2, Instructions: 237COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043DEED Relevance: .2, Instructions: 214COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00427C40 Relevance: .2, Instructions: 187COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004387F0 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041812A Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D45B Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D0D1 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004124B0 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041B0D8 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401CE9 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040CE34 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 203fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00412AEF Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 482sleepfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414DC1 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041697B Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041C720 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041A045 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040186A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041AE51 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413D48 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041384F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00412716 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417627 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413A90 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044BDEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|